Support the ongoing development of Laravel.io →
Article Hero Image
Back to articles
Security Testing Laravel

Check if a Signed URL is Valid in Laravel Tests

Ash Allen
Ash Allen
30 Jun, 2025 3 min read

Photo by Kaffeebart on Unsplash

Introduction

There may be times when you want to check whether a URL in your Laravel application is a valid signed URL. Most of the time, this is something you'd need to do in your application code where you can reach for the \Illuminate\Routing\Middleware\ValidateSignature middleware class, or the $request->hasValidSignature() method on the Illuminate\Http\Request class.

However, in the past, I've needed to write some tests to ensure that a signed URL is correctly generated and stored in the database. Admittedly, it's not something I need to do often, but I thought it might be useful to share how to do this in case you find yourself in a similar situation.

In this Quickfire article, I'm going to show you how to check whether a signed URL is valid in your tests.

If you're not familiar with signed URLs, you might be interested in my existing article which explains what they are: How to Assert Redirects to Signed URLs in Laravel Tests

Checking if a Signed URL is Valid in Laravel Tests

Let's imagine we're building a Laravel application that allows users to invite other users to join their team. When a user invites another user, we'll assume a new team_invitation_url field is created on an App\Models\Invitation model, which contains a signed URL that the invitee can use to join the team.

Note: You'd likely use a different approach than storing the hardcoded URL in the database. But this example is purely to demonstrate how to check if a signed URL is valid.

To check if the team_invitation_url is a valid signed URL, we need to create an instance of the Illuminate\Http\Request class using the URL stored in the team_invitation_url field. Then, we can use the hasValidSignature method to check if the URL is valid:

use Illuminate\Http\Request;

$isValid = Request::create($invitation->team_invitation_url)->hasValidSignature();

If the URL is in fact a valid signed URL, the $isValid variable will be true. Otherwise, if the URL is not a valid signed URL or has expired, it will be false.

Let's take a look at how we could use this in an example test case:

use App\Actions\InviteUserToTeamAction;
use App\Models\User;
use Illuminate\Http\Request;
use PHPUnit\Framework\Attributes\Test;
use Tests\TestCase;

class UserTest extends TestCase
{
    #[Test]
    public function user_can_be_invited(): void
    {
        // Create a user and another user to invite.
        $user = User::factory()->create();
        $userToInvite = User::factory()->create();
        
        // Call the action to invite the user.
        // The action will return an instance of `App\Models\Invitation`.
        $invitation = new InviteUserToTeamAction()->execute(
            user: $user,
            userToInvite: $userToInvite
        );
    
        // Other assertions to check the user was invited correctly...
    
        // Assert the `team_invitation_url` is a valid signed URL.
        $this->assertTrue(
            Request::create($invitation->team_invitation_url)->hasValidSignature(),
        );
    }
}

As we can see in the example test above, we're inviting a user to a team using an App\Actions\InviteUserToTeamAction action. After the user is invited, we're then asserting that the team_invitation_url is a valid signed URL using the hasValidSignature method on the Illuminate\Http\Request instance created from the URL.

As a result of this assertion, we can have confidence that we're generating valid signed URLs in our application.

Conclusion

In this Quickfire article, we've taken a quick look at how to check whether a signed URL is valid in your Laravel tests.

If you enjoyed reading this post, you might be interested in checking out my 220+ page ebook "Battle Ready Laravel" which covers similar topics in more depth.

Or, you might want to check out my other 440+ page ebook "Consuming APIs in Laravel" which teaches you how to use Laravel to consume APIs from other services.

If you're interested in getting updated each time I publish a new post, feel free to sign up for my newsletter.

Keep on building awesome stuff! ?

Last updated 4 months ago.
1
Like this article? Let the author know and give them a clap!
ash-jc-allen (Ash Allen) I'm a freelance Laravel web developer from Preston, UK. I maintain the Ash Allen Design blog and get to work on loads of cool and exciting projects ?
X Bluesky

Other articles you might like

Article Hero Image November 4th 2025

Laravel 12 Custom Validation Rules Example

In this Laravel tutorial titled “laravel 12 custom validation rules example”, you will learn how to...

Read article
Article Hero Image November 5th 2025

Returning HTTP 404 Responses Instead of 403 for Unauthorised Access

Introduction When building a web application, you typically add authorisation checks to ensure that...

Read article
Article Hero Image October 29th 2025

Run PHPUnit and Pest Tests Without Vite Assets in Laravel

Introduction A common way to build your Laravel application's frontend assets is with Vite (by runni...

Read article

We'd like to thank these amazing companies for supporting us

NativePHP
Eventy
Fathom
Forge
Envoyer
Beyond Code
BairesDev
N-iX

Your logo here?

Laravel.io

The Laravel portal for problem solving, knowledge sharing and community building.

Laravel.io

Forum Articles Pastebin

Socials

X (Twitter) Bluesky Bluesky GitHub
© 2025 Laravel.io - All rights reserved.
Terms of service Privacy policy Advertise