Getting Started

Minimal Steps

Installation:
```
composer require darvis/livewire-injection-stopper
```
No additional configuration is required for spam bot blocking—it activates immediately.
First Use Case:
- Spam Bot Protection: Deploy your Livewire app and observe reduced spam submissions (e.g., form spam, fake user registrations).
- Security Audit: Run the built-in scanner to identify vulnerable Livewire properties:
```
php artisan livewire:audit
```
  This outputs a list of public/protected properties in your Livewire components that could be manipulated by attackers (e.g., $isAdmin, $userRole).
Where to Look First:
- Audit Results: Check the terminal output of livewire:audit for immediate action items.
- Middleware: The package adds middleware at app/Http/Middleware/BlockSpamBots.php (extendable for custom rules).
- Error Handling: Review app/Exceptions/HandleLivewireInjectionErrors.php to customize how bot-driven errors are silenced.

Implementation Patterns

Core Workflows

Spam Bot Blocking:
- Integration: Automatically applied to all routes via Laravel’s middleware stack. No manual route assignment needed.
- Customization: Extend BlockSpamBots middleware to whitelist/blacklist specific user agents or IPs:
```
// app/Http/Middleware/BlockSpamBots.php
protected function isSpamBot(Request $request): bool {
    return $request->userAgent() === 'Python-urllib/3.11' ||
           parent::isSpamBot($request);
}
```

Livewire Security Auditing:

Scheduled Scans: Add to app/Console/Kernel.php to run audits daily:

protected function schedule(Schedule $schedule) {
    $schedule->command('livewire:audit')->daily();
}

CI/CD Integration: Run audits in GitHub Actions or GitLab CI to catch vulnerabilities early:

# .github/workflows/security.yml
jobs:
  audit:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - run: composer install
      - run: php artisan livewire:audit

Error Suppression:

Sentry Integration: Errors like CannotUpdateLockedPropertyException are caught and logged silently. To customize:

// app/Exceptions/HandleLivewireInjectionErrors.php
public function report(Throwable $exception) {
    if ($exception instanceof \Livewire\Exceptions\CannotUpdateLockedPropertyException) {
        \Log::warning('Bot attempted to manipulate Livewire property', [
            'exception' => $exception,
            'user_agent' => request()->userAgent()
        ]);
        return; // Prevent Sentry from reporting
    }
    parent::report($exception);
}

Integration Tips

Livewire Components: Use public properties sparingly. Prefer:

// Secure: Protected property (not directly manipulable via URL)
protected $isAdmin = false;

// Unsafe: Public property (exposed to injection)
public $isAdmin = false;

Form Handling: Combine with Laravel’s built-in CSRF protection and Livewire’s $rules validation:

use Livewire\Attributes\Rule;

public $email;
#[Rule('required|email')]
public function rules() { return []; }

Gotchas and Tips

Pitfalls

False Positives in Audits:
- The scanner flags all public/protected properties by default. Some may be intentionally exposed (e.g., $searchQuery for a search component).
- Fix: Exclude properties via annotations:
```
use Livewire\Attributes\IgnoreInjectionCheck;

#[IgnoreInjectionCheck]
public $searchQuery;
```
Over-Silencing Errors:
- Suppressing all CannotUpdateLockedPropertyException errors might hide legitimate issues.
- Tip: Log suppressed errors to a dedicated channel (e.g., single channel in config/logging.php):
```
'channels' => [
    'injection_attempts' => [
        'driver' => 'single',
        'path' => storage_path('logs/injection_attempts.log'),
        'level' => 'warning',
    ],
],
```
Performance Impact:
- The spam bot middleware adds minimal overhead (~1ms per request). For high-traffic apps, test under load:
```
artisan livewire:audit --profile  # If profiling becomes available
```
Livewire 3.x Compatibility:
- The package assumes Livewire 2.x syntax (e.g., public properties). If upgrading to Livewire 3.x:
- Action: Update property visibility checks in BlockSpamBots middleware to match Livewire 3’s property system.

Debugging

Audit False Negatives:
- If a vulnerable property isn’t caught, ensure the component is autoloaded. Run:
```
composer dump-autoload
```
- For custom Livewire classes, verify they’re registered in config/livewire.php under component_path.

Middleware Debugging:

Temporarily disable bot blocking to test:

// app/Http/Kernel.php
protected $middleware = [
    // ... other middleware
    // \Darvis\LivewireInjectionStopper\Http\Middleware\BlockSpamBots::class, // Comment out
];

Extension Points

Custom Spam Detection:

Override isSpamBot() in BlockSpamBots to use IP reputation services (e.g., AbuseIPDB):

use AbuseFilter\AbuseFilter;

protected function isSpamBot(Request $request): bool {
    $ip = $request->ip();
    $filter = new AbuseFilter('your_api_key');
    return $filter->check($ip) || parent::isSpamBot($request);
}

Audit Customization:

Extend the scanner to check for specific patterns (e.g., SQL-like strings in property names):

// app/Providers/AppServiceProvider.php
use Darvis\LivewireInjectionStopper\Scanners\LivewireScanner;

public function boot() {
    LivewireScanner::macro('checkForSqlKeywords', function ($properties) {
        foreach ($properties as $property) {
            if (preg_match('/(select|insert|drop)/i', $property)) {
                return [$property, 'Potential SQL keyword in property name'];
            }
        }
        return [];
    });
}

Error Handling Granularity:

Differentiate between bot-driven and user-driven errors by adding context to exceptions:

// app/Exceptions/HandleLivewireInjectionErrors.php
public function report(Throwable $exception) {
    if ($exception instanceof \TypeError && $this->isBotRequest()) {
        $exception->setContext(['source' => 'bot_injection']);
    }
}

Livewire Injection Stopper Laravel Package