This package can create URLs with a limited lifetime. This is done by adding an expiration date and a signature to the URL.

This is how you can create signed URL that's valid for 30 days:

UrlSigner::sign('https://myapp.com/protected-route', 30);

The output will look like this:

https://app.com/protected-route?expires=xxxxxx&signature=xxxxxx

The URL can be validated with the validate-function.

UrlSigner::validate('https://app.com/protected-route?expires=xxxxxx&signature=xxxxxx');

The package also provides a middleware to protect routes.

As you would have guessed the package can be installed via Composer:

$ composer require spatie/laravel-url-signer

To enable the package, register the serviceprovider, and optionally register the facade:

// config/app.php

'providers' => [
    ...
    Spatie\UrlSigner\Laravel\UrlSignerServiceProvider::class,
];

'aliases' => [
    ...
    'UrlSigner' => Spatie\UrlSigner\Laravel\UrlSignerFacade::class,
];

The configuration file can optionally be published via:

php artisan vendor:publish --provider="Spatie\UrlSigner\Laravel\UrlSignerServiceProvider"

This is the contents of the file:

return [

    /*
    * This string is used the to generate a signature. You should
    * keep this value secret.
    */
    'signatureKey' => config('app.key'),

    /*
     * The default expiration time of a URL in days.
     */
    'default_expiration_time_in_days' => 1,

    /*
     * These strings are used a parameter names in a signed url.
     */
    'parameters' => [
        'expires' => 'expires',
        'signature' => 'signature',
    ],

];

##Usage

###Signing URLs URL's can be signed with the sign-method:

UrlSigner::sign('https://myapp.com/protected-route');

By default the lifetime of an URL is one day. This value can be change in the config-file. If you want a custom life time, you can specify the number of days the URL should be valid:

//the generated URL will be valid for 5 days.
UrlSigner::sign('https://myapp.com/protected-route', 5);

For fine grained control, you may also pass a DateTime instance as the second parameter. The url will be valid up to that moment. This example uses Carbon for convience:

//This URL will be valid up until 2 hours from the moment it was generated.
UrlSigner::sign('https://myapp.com/protected-route', Carbon\Carbon::now()->addHours(2); );

###Validating URLs To validate a signed URL, simply call the validate()-method. This return a boolean.

UrlSigner::validate('https://app.com/protected-route?expires=xxxxxx&signature=xxxxxx');

###Protecting routes with middleware The package also provides a middleware to protect routes:

Route::get('protected-route', ['middleware' => 'signedurl', function () {
    return 'Hello secret world!';
}]);

Your app will abort with a 403 status code if the route is called without a valid signature.

Please see CHANGELOG for more information what has changed recently.

$ vendor/bin/phpunit

##Usage outside Laravel If you're working on a non-Laraval project, you can use the framework agnostic version.

Please see CONTRIBUTING for details.

If you discover any security related issues, please email freek@spatie.be instead of using the issue tracker.

• Sebastian De Deyne
• All Contributors

Spatie is a webdesign agency in Antwerp, Belgium. You'll find an overview of all our open source projects on our website.

The MIT License (MIT). Please see License File for more information.