Skip to content

Fix unhandled 500 when a proxy target host is blocked#105

Open
morcen wants to merge 1 commit into
mainfrom
fix/issue-83-catch-disallowed-proxy-target-exception
Open

Fix unhandled 500 when a proxy target host is blocked#105
morcen wants to merge 1 commit into
mainfrom
fix/issue-83-catch-disallowed-proxy-target-exception

Conversation

@morcen

@morcen morcen commented Jul 11, 2026

Copy link
Copy Markdown
Owner

What was broken

AllowedHostsGuard::check() throws DisallowedProxyTargetException when a handler's base_uri host is not in the configured allowed_hosts list. PassageController::handle() only caught InvalidBaseUriException around that call, so DisallowedProxyTargetException propagated as an unhandled exception, producing a generic 500 framework error page instead of a clean JSON response.

The allowed_hosts guard is a security feature meant to prevent open-proxy misconfigurations, but its failure mode leaked internals (a framework error page) and broke API clients expecting JSON error responses from Passage.

What changed

  • src/Http/Controllers/PassageController.php: catch DisallowedProxyTargetException alongside InvalidBaseUriException and return a JSON 403 response with the exception message.
  • tests/Unit/PassageControllerTest.php: add a regression test that enables enforce_allowed_hosts, hits a route whose handler's base_uri targets a disallowed host, and asserts a JSON 403 response instead of a crash.

Verification

  • vendor/bin/pint --dirty: passed
  • composer test (vendor/bin/pest): 104 tests passed, 262 assertions

Fixes #83.


Generated by Claude Code

AllowedHostsGuard::check() throws DisallowedProxyTargetException when
a handler's base_uri host is not in the allowed_hosts list, but
PassageController only caught InvalidBaseUriException. A blocked host
therefore surfaced as an unhandled 500 with a framework error page
instead of a clean JSON response, leaking internals and breaking API
clients that expect JSON errors from Passage.

Catch DisallowedProxyTargetException alongside InvalidBaseUriException
and return a JSON 403 response.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

DisallowedProxyTargetException is never caught, blocked hosts return 500

1 participant