Bug: auth.required middleware is not triggered on dynamic routes within app()->group()

[ronaldomussa]

When using auth.required middleware inside app()->group(), dynamic routes like /clients/{id} skip the middleware execution. This causes the controller to be executed even if there’s no authenticated user.

It works fine on static routes like /clients, but on dynamic ones, the middleware is ignored.

Steps to reproduce the behavior:

In your routes/web.php, define a middleware group:

app()->group('/cms', [
    'middleware' => 'auth.required',
    function () {
        app()->get('/clients', 'Auth\ClientController@index');
        app()->get('/clients/{id}', 'Auth\ClientController@show');
    }
]);

Ensure your auth.required middleware redirects if the user is not logged in.

Access /cms/clients while logged out → ✅ Middleware works (redirects).

Access /cms/clients/1 while logged out → ❌ Controller runs, middleware is skipped.

Expected behavior
All routes (static or dynamic) inside the app()->group() with auth.required should be protected. If a user is not logged in, the middleware should redirect and prevent controller execution.

Additional context
Leaf version: v3.x

Middleware is registered via auth()->middleware('auth.required', callback)

DevTools log shows controller is called before the middleware on dynamic routes.

[mychidarko]

Hi @ronaldomussa, I'm just seeing this. Will try to replicate on my end, thanks for the detail

[ronaldomussa]

Hello @mychidarko, I just fix this issue on leaf/src/Router.php with this code replacing the line 827

$routesToRun = array_filter($routeToHandle, function ($route) use ($uri) {
          $pattern = $route['route']['pattern'];
      
          // Converte para regex se contiver parâmetros dinâmicos
          $regexPattern = '#^' . preg_replace('/\{[^}]+\}/', '([^/]+)', $pattern) . '$#';
      
          return preg_match($regexPattern, $uri)
              || $pattern === $uri
              || $pattern === '/.*'
              || implode('/', $route['params'] ?? []) === ltrim($uri, '/');
      });

Root cause
In Router.php, the current logic inside handle() uses a direct equality check on $route['route']['pattern'] === $uri, which fails for dynamic route patterns.

Fix
This PR replaces that brittle check with a preg_match to verify if the route pattern matches the URI:

This fix was tested in a real project using dynamic routes inside a group with middleware. After this change, middleware was properly triggered before controller execution.

[patrickvuarnoz]

@mychidarko What's the status on this one? I'm running into the same issue with Leaf 4.

I'm not sure why @ronaldomussa replaces occurrences of {...} in the pattern. As far as I can see those {some_id} are part of the route paths at definition time and not part of the final route patterns that are compared in Router::handle(). At least not in Leaf 4. I came up with a similar solution:

$routesToRun = array_filter($routeToHandle, function ($route) use ($uri) {
    return preg_match('/^' . str_replace('/', '\/', $route['route']['pattern']) . '$/', $uri);
});

The point is that all characters in the route pattern that match the regexp delimiter (/ in my case, # in ronaldo's case) must be escaped. But besides that the pattern already is a valid regexp.

What I also don't understand is, why the pattern is directly 1:1 compared to the $uri, to /.* and the implode() part. If $uri is known and the patterns are defined correctly, only the regexp matching is required.

[patrickvuarnoz]

@mychidarko Is there any progress on this one? Are you guys still maintaining this?