[pull] 2.x from Kovah:2.x

app/Console/Commands/DebugConfigCommand.php

@@ -55,7 +55,7 @@ private function printApplicationInfo(): void
             ['Laravel Version', app()->version()],
             ['PHP Version', PHP_VERSION],
             ['Environment', config('app.env')],
-            ['Debug Mode', config('app.debug') ? '<fg=yellow>true</>' : 'false'],
+            ['Debug Mode', config('app.debug') ? '<fg=red>true</>' : 'false'],
         ]);
     }
 
@@ -66,13 +66,18 @@ private function printTrustedHostsInfo(): void
         $appUrl = config('app.url');
         $trustHosts = new TrustHosts(app());
         $patterns = $trustHosts->hosts();
+        $isActive = !app()->environment('local') && !app()->runningUnitTests();
 
         $rows = [
             ['APP_URL', $appUrl],
             ['Allowed host pattern', implode(', ', array_filter($patterns))],
+            ['Active (non-local env)', $isActive ? '<fg=green>yes</>' : '<fg=yellow>no (APP_ENV=local)</>'],
         ];
 
-        if ($appUrl === 'http://localhost') {
+        if (!$isActive) {
+            $rows[] = ['', '<fg=yellow>⚠ TrustHosts validation is DISABLED because APP_ENV=local.</>'];
+            $rows[] = ['', '<fg=yellow>  Host header is not validated. Set APP_ENV=production to enable.</>'];
+        } elseif ($appUrl === 'http://localhost') {
             $rows[] = ['', '<fg=red>⚠ APP_URL is set to the default "http://localhost".</>'];
             $rows[] = ['', '<fg=red>  Any request from a different host will be rejected with 400.</>'];
         } elseif (!str_starts_with($appUrl, 'https://')) {
@@ -81,6 +86,12 @@ private function printTrustedHostsInfo(): void
         }
 
         $this->table([], $rows);
+
+        if ($isActive) {
+            $this->line('  <fg=gray>If users see 400 errors, check storage/logs/laravel.log for</>');
+            $this->line('  <fg=gray>  "Untrusted Host" to see the exact rejected host value.</>');
+            $this->line('');
+        }
     }
 
     private function printTrustedProxiesInfo(): void

app/Http/Kernel.php

@@ -14,8 +14,8 @@ class Kernel extends HttpKernel
      * @var array
      */
     protected $middleware = [
-        \App\Http\Middleware\TrustHosts::class,
         \App\Http\Middleware\TrustProxies::class,
+        \App\Http\Middleware\TrustHosts::class,
         \Illuminate\Http\Middleware\HandleCors::class,
         \App\Http\Middleware\PreventRequestsDuringMaintenance::class,
         \Illuminate\Foundation\Http\Middleware\ValidatePostSize::class,

app/Http/Middleware/TrustHosts.php

@@ -13,6 +13,11 @@ class TrustHosts extends Middleware
      */
     public function hosts(): array
     {
+        $allowedHosts = config('app.trusted_hosts');
+        if ($allowedHosts !== null) {
+            return explode(',', $allowedHosts);
+        }
+
         return [
             $this->allSubdomainsOfApplicationUrl(),
         ];

config/app.php

@@ -160,6 +160,20 @@
 
     'trusted_proxies' => env('TRUSTED_PROXIES', '*'),
 
+    /*
+    |--------------------------------------------------------------------------
+    | Trusted Hosts
+    |--------------------------------------------------------------------------
+    |
+    | Specify which host names should be trusted. Set the correct hostnames
+    | under which your LinkAce instance is running under here. By default,
+    | LinkAce will automatically detect the host from the given APP_URL.
+    | Either provide a comma-separated list of host names or a regex.
+    |
+    */
+
+    'trusted_hosts' => env('TRUSTED_HOSTS', null),
+
     /*
     |--------------------------------------------------------------------------
     | API Rate Limiting