Bypass Tokens

Bypass tokens provide temporary access to the application during maintenance.

Generation

// CurtainUpCommand.php
protected function generateSecret(): string
{
    return md5(uniqid('', true));
}

Usage

# Generate token with maintenance mode
php artisan curtain:up --secret="custom-token"

# Or let Curtain generate one
php artisan curtain:up
# Output: Bypass token: 1234abc...

Implementation

// CurtainService.php
public function hasValidBypassToken(Request $request): bool
{
    if (!$this->isDownForMaintenance()) {
        return false;
    }

    $data = $this->getMaintenanceData();

    return isset($data['secret']) && 
           $request->path() === $data['secret'];
}

Security Considerations

Token Storage

• Secure storage in maintenance file

• Automatic expiration

• One-time use option

Access Control Flow

public function canAccessPath(Request $request): bool
{
    if (!$this->isDownForMaintenance()) {
        return true;
    }

    // Check path exclusions first
    if ($this->shouldPassThroughPath($request->path())) {
        return true;
    }

    // Check IP whitelist
    if ($this->isAllowedIp($request->ip())) {
        return true;
    }

    // Check bypass token last
    return $this->hasValidBypassToken($request);
}

Best Practices

• Rotate tokens regularly

• Limit token lifespan

• Log access attempts

• Monitor usage patterns