Filament Firewall Laravel Package

Getting Started

First Steps

1. Installation

   composer require solution-forest/filament-firewall
   

   Publish the config file:

   php artisan vendor:publish --provider="SolutionForest\FilamentFirewall\FilamentFirewallServiceProvider" --tag="filament-firewall-config"
   

2. Basic Setup Register the middleware in app/Providers/Filament/AdminPanelProvider.php:

   public function panel(Panel $panel): Panel
   {
       return $panel
           ->middleware([
               \SolutionForest\FilamentFirewall\Http\Middleware\FilamentFirewall::class,
           ]);
   }
   

3. First Use Case Define a whitelist in config/filament-firewall.php:

   'whitelist' => [
       'ips' => ['192.168.1.1', '127.0.0.1'],
       'users' => ['admin@example.com'],
   ],
   

   Now, only users from these IPs or emails can access Filament.

Implementation Patterns

Core Workflows

1. Dynamic Whitelisting Override the default whitelist via middleware parameters:

   // In a route or controller
   $middleware = new \SolutionForest\FilamentFirewall\Http\Middleware\FilamentFirewall(
       app('filament-firewall'),
       ['ips' => ['192.168.1.2']]
   );
   

2. User-Based Rules Use Filament’s built-in user resolver:

   'whitelist' => [
       'users' => fn () => User::where('role', 'admin')->pluck('email')->toArray(),
   ],
   

3. Geolocation Integration Combine with a package like spatie/geoip to whitelist by country:

   'whitelist' => [
       'countries' => ['US', 'CA'],
   ],
   

Integration Tips

• Filament Policies: Extend Filament’s CanAccessPanel policy to include firewall checks.
• API Routes: Apply the middleware to API routes using Route::middleware(FilamentFirewall::class).
• Testing: Mock the middleware in tests:

  $this->actingAs($user)
       ->withHeaders(['REMOTE_ADDR' => '192.168.1.1'])
       ->get('/admin');
  

Gotchas and Tips

Common Pitfalls

1. IP Spoofing

   • The package checks REMOTE_ADDR, which can be spoofed. For stricter security, use:

     'trusted_proxies' => ['192.168.1.100'], // Trusted proxy IPs
     'use_trusted_proxies' => true,
     

2. Caching Headaches

   • If using users whitelisting with dynamic queries, cache the results to avoid performance hits:

     'whitelist' => [
         'users' => Cache::remember('filament_whitelist_users', now()->addHours(1), fn () => User::where(...)->pluck('email')->toArray()),
     ],
     

3. Case Sensitivity

   • Email comparisons are case-insensitive by default. Override in config:

     'email_case_sensitive' => true,
     

Debugging Tips

• Log Blocked Requests Enable logging in config:

  'log_blocked_requests' => true,
  

  Check storage/logs/laravel.log for blocked attempts.

• Bypass for Testing Use the FIREWALL_BYPASS env var:

  export FIREWALL_BYPASS=true
  

Extension Points

1. Custom Validators Extend the validator class:

   namespace App\Extensions;
   
   use SolutionForest\FilamentFirewall\Validators\FirewallValidator;
   
   class CustomFirewallValidator extends FirewallValidator
   {
       public function validate($request)
       {
           // Custom logic
           return parent::validate($request);
       }
   }
   

   Register in FilamentFirewallServiceProvider.php.

2. Event Listeners Listen for filament.firewall.blocked and filament.firewall.allowed events to trigger custom actions (e.g., Slack alerts).

3. Rate Limiting Combine with Laravel’s throttle middleware for brute-force protection:

   ->middleware([
       \SolutionForest\FilamentFirewall\Http\Middleware\FilamentFirewall::class,
       \Illuminate\Cache\Middleware\ThrottleRequests::class . ':5,1',
   ]);