Disable web ui route /__clockwork for production environments

[wsalazar]

Hello.

I was recently looking for an alternative to barryvdh/debugbar as it doesn't work with the app that I'm working on. Our stack is Laravel API with a react/next frontend.

I happened to find Clockwork which integrates perfectly with our app.

One concern is that we're using nginx. Since it's the first time I'm personally using nginx we have to register our routes in our config. Unfortunately, we're not differentiating our nginx conf file between dev and production and my lead doesn't want for /__clockwork to make it to production.

I have enabled the Web UI for clockwork. Our concern is that we don't want it enabled in production only for development.

As I was digging through the code I found CLOCKWORK_WEB and I set it false in our .env file. When I try to access /__clockwork I get a 404. I was wondering if there was another way where if someone in production attempted to access /__clockwork it would just redirect them to /

I did have another solution that I am running by my lead and am awaiting his response. But I was wondering if there was any solution that you could offer as my lead and I would really enjoy having the /__clockwork route enabled but only for our local environments.

Any feedback would be greatly appreciated.

I was also wondering if there is no solution that you can offer if we could possibly provide a PR for a solution. Of course to be approved by you provided you deem it a good solution.

Thank you for your time. Looking forward to hearing from you.

[nadinengland]

This might not help but incase it does, in our case we didn't want any of Clockwork running on production. Our solution was then to add the package to our disable autoload in the composer.json, then manually load the ServiceProvider in your AppServiceProvider using env flags:

class AppServiceProvider extends ServiceProvider
{
    public function register()
    {
        if (!$this->app->environment('production')) {
            $this->app->register(\Clockwork\Support\Laravel\ClockworkServiceProvider::class);
        }
    }

    ...
}

To answer your question more directly, you could continue to disable with CLOCKWORK_WEB then in your routes/web.php you could conditionally add a route for Route::redirect('/__clockwork', '/');.

[wsalazar]

Ahhh that's a good idea. We have package discovery in our composer.json. But I could definitely try your suggestion.

I was thinking that clockwork would actually copy over some kind of config file but unfortunately it doesn't. Doing so would have made it configurable and more developer friendly. Like unlocking other features perhaps.

[wsalazar]

I actually didn't have to disable CLOCKWORK_WEB in .env. I just had to publish the config file and make it so that web was false. Unfortunately, it still comes up as 404. Would prefer somehow that it just redirect to '/'. I tried Route::redirect('/__clockwork', '/'); in my web.php but that didn't work. I even registered it in AppServiceProvider.

Also, there seem to be a weird issue when committing my code when I published my clockwork.php config file.

'serialization_blackbox' => [
		\Illuminate\Container\Container::class,
		\Illuminate\Foundation\Application::class,
		\Laravel\Lumen\Application::class
	],

We use husky and when I commit my code since I published the clockwork.php config file. That last element in the array throws an error. Also, my php linting has that line highlighted. Is it something that I misconfigured or is this an actual issue? I had to remove it from my published config file to be able to pass husky's php linting.

[itsgoingd]

Retuning 404 when you access an undefined route seems reasonable to me, in fact redirecting to index I would find surprising. You can handle the not found exceptions in your exception handler if you want a different behavior.

If you want to completely disable Clockwork in an environment the solution suggested by @nadinengland seems reasonable.

As for the config file, you can remove the Lumen line if you want, it does nothing if you are no using Lumen. I guess your linter does not like the fact you are referencing a class that doesn't exist.

[skyosev]

This might not help but incase it does, in our case we didn't want any of Clockwork running on production. Our solution was then to add the package to our disable autoload in the composer.json, then manually load the ServiceProvider in your AppServiceProvider using env flags:

class AppServiceProvider extends ServiceProvider
{
    public function register()
    {
        if (!$this->app->environment('production')) {
            $this->app->register(\Clockwork\Support\Laravel\ClockworkServiceProvider::class);
        }
    }

    ...
}

To answer your question more directly, you could continue to disable with CLOCKWORK_WEB then in your routes/web.php you could conditionally add a route for Route::redirect('/__clockwork', '/');.

The autoload disabling seems like an acceptable workaround for me. However, I wasn't able to find such option in composer. Can you hint me?

[itsgoingd]

@skyosev It's a Laravel specific thing, here are the docs - https://laravel.com/docs/9.x/packages#opting-out-of-package-discovery