Support the ongoing development of Laravel.io →
Article Hero Image
Back to articles
Security Testing Laravel

Check if a Signed URL is Valid in Laravel Tests

Ash Allen
30 Jun, 2025 3 min read

Photo by Kaffeebart on Unsplash

Introduction

There may be times when you want to check whether a URL in your Laravel application is a valid signed URL. Most of the time, this is something you'd need to do in your application code where you can reach for the \Illuminate\Routing\Middleware\ValidateSignature middleware class, or the $request->hasValidSignature() method on the Illuminate\Http\Request class.

However, in the past, I've needed to write some tests to ensure that a signed URL is correctly generated and stored in the database. Admittedly, it's not something I need to do often, but I thought it might be useful to share how to do this in case you find yourself in a similar situation.

In this Quickfire article, I'm going to show you how to check whether a signed URL is valid in your tests.

If you're not familiar with signed URLs, you might be interested in my existing article which explains what they are: How to Assert Redirects to Signed URLs in Laravel Tests

Checking if a Signed URL is Valid in Laravel Tests

Let's imagine we're building a Laravel application that allows users to invite other users to join their team. When a user invites another user, we'll assume a new team_invitation_url field is created on an App\Models\Invitation model, which contains a signed URL that the invitee can use to join the team.

Note: You'd likely use a different approach than storing the hardcoded URL in the database. But this example is purely to demonstrate how to check if a signed URL is valid.

To check if the team_invitation_url is a valid signed URL, we need to create an instance of the Illuminate\Http\Request class using the URL stored in the team_invitation_url field. Then, we can use the hasValidSignature method to check if the URL is valid:

use Illuminate\Http\Request;

$isValid = Request::create($invitation->team_invitation_url)->hasValidSignature();

If the URL is in fact a valid signed URL, the $isValid variable will be true. Otherwise, if the URL is not a valid signed URL or has expired, it will be false.

Let's take a look at how we could use this in an example test case:

use App\Actions\InviteUserToTeamAction;
use App\Models\User;
use Illuminate\Http\Request;
use PHPUnit\Framework\Attributes\Test;
use Tests\TestCase;

class UserTest extends TestCase
{
    #[Test]
    public function user_can_be_invited(): void
    {
        // Create a user and another user to invite.
        $user = User::factory()->create();
        $userToInvite = User::factory()->create();
        
        // Call the action to invite the user.
        // The action will return an instance of `App\Models\Invitation`.
        $invitation = new InviteUserToTeamAction()->execute(
            user: $user,
            userToInvite: $userToInvite
        );
    
        // Other assertions to check the user was invited correctly...
    
        // Assert the `team_invitation_url` is a valid signed URL.
        $this->assertTrue(
            Request::create($invitation->team_invitation_url)->hasValidSignature(),
        );
    }
}

As we can see in the example test above, we're inviting a user to a team using an App\Actions\InviteUserToTeamAction action. After the user is invited, we're then asserting that the team_invitation_url is a valid signed URL using the hasValidSignature method on the Illuminate\Http\Request instance created from the URL.

As a result of this assertion, we can have confidence that we're generating valid signed URLs in our application.

Conclusion

In this Quickfire article, we've taken a quick look at how to check whether a signed URL is valid in your Laravel tests.

If you enjoyed reading this post, you might be interested in checking out my 220+ page ebook "Battle Ready Laravel" which covers similar topics in more depth.

Or, you might want to check out my other 440+ page ebook "Consuming APIs in Laravel" which teaches you how to use Laravel to consume APIs from other services.

If you're interested in getting updated each time I publish a new post, feel free to sign up for my newsletter.

Keep on building awesome stuff! 🚀

Last updated 2 hours ago.

driesvints liked this article

1
Like this article? Let the author know and give them a clap!
ash-jc-allen (Ash Allen) I'm a freelance Laravel web developer from Preston, UK. I maintain the Ash Allen Design blog and get to work on loads of cool and exciting projects 🚀
X Bluesky

Other articles you might like

Article Hero Image June 22nd 2025

Pass a Query Builder to "whereIn" to Reduce Your DB Queries

Introduction I recently learnt about a cool feature in Laravel that allows you to pass a query build...

Read article
Article Hero Image June 14th 2025

Asymmetric Property Visibility in PHP

Introduction Asymmetric visibility is a feature that was introduced in PHP 8.4 (released: November 2...

Read article
Article Hero Image June 13th 2025

Formatting Monetary Values in JavaScript

Introduction When building your web applications, you might need to format numbers as monetary value...

Read article

We'd like to thank these amazing companies for supporting us

Eventy NativePHP
Fathom
Forge
Envoyer
Beyond Code
BairesDev
N-iX

Your logo here?

Laravel.io

The Laravel portal for problem solving, knowledge sharing and community building.

Laravel.io

Forum Articles Pastebin

Socials

X (Twitter) Bluesky Bluesky GitHub

The community

Laravel Laravel Laravel News Laravel News
Laracasts Laracasts Laravel Podcast Laravel Podcast
© 2025 Laravel.io - All rights reserved.
Terms of service Privacy policy Advertise