Why in the global server variable, the query_param cell is not valid

Question

I am trying to set up email verification, but because of wrong configuration of either, server or php I always get 403 Invalid signature error. If you know how to solve this problem I would be very grateful. All the solutions I googled don't work for me.

my route with params:

https://mysite.lo/email/verify/1001/82f42f0bbc6880958a68b56159cb7cbf96199ddf?expires=1642686658&signature=87fa7d09653adcbbeb4dd99bec9a97395d7417bdfeffc145a1c5d6e80feeb726

PHP DEBUG

$request->server->get('QUERY_STRING')

output:

/email/verify/1001/82f42f0bbc6880958a68b56159cb7cbf96199ddf&expires=1642686658&signature=87fa7d09653adcbbeb4dd99bec9a97395d7417bdfeffc145a1c5d6e80feeb726

enter image description here

But there should be another output, starting from? to the end, for example:

expires=1642686658&signature=87fa7d09653adcbbeb4dd99bec9a97395d7417bdfeffc145a1c5d6e80feeb726

Or am I misunderstanding something?

Anyway, I don't understand why this is happening. The nginx settings are below.

server {
    listen 80;
    listen 443 ssl;
    listen [::]:80;

    server_name mysite.lo *.mysite.lo;

    ssl_certificate     /etc/nginx/ssl/ssl.crt;
    ssl_certificate_key /etc/nginx/ssl/ssl.key;

    access_log /var/www/mysite/mpa/storage/logs/nginx_access.log;
    error_log /var/www/mysite/mpa/storage/logs/nginx_error.log;

    root /var/www/mysite/mpa/public;
    index index.php;

    add_header X-Frame-Options "SAMEORIGIN";
    add_header X-XSS-Protection "1; mode=block";
    add_header X-Content-Type-Options "nosniff";

    charset utf-8;

    location = /favicon.ico { access_log off; log_not_found off; }
    location = /robots.txt  { access_log off; log_not_found off; }

    error_page 404 /index.php;

    # serve static files directly
    location ~* \.(jpg|jpeg|gif|css|png|js|ico|html)$ {
        access_log off;
        expires max;
        log_not_found off;
    }

    # removes trailing slashes (prevents SEO duplicate content issues)
    if (!-d $request_filename)
    {
        rewrite ^/(.+)/$ /$1 permanent;
    }

    # enforce NO www
    if ($host ~* ^www\.(.*))
    {
        set $host_without_www $1;
        rewrite ^/(.*)$ $scheme://$host_without_www/$1 permanent;
    }

    # unless the request is for a valid file (image, js, css, etc.), send to bootstrap
    if (!-e $request_filename)
    {
        rewrite ^/(.*)$ /index.php?/$1 last;
        break;
    }

    location / {
         try_files $uri $uri/ /index.php$is_args$args;
    }

    location ~ \.php$ {
        try_files $uri /index.php =404;
        fastcgi_pass php-upstream;
        fastcgi_index index.php;
        fastcgi_buffers 16 16k;
        fastcgi_buffer_size 32k;
        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
        #fixes timeouts
        fastcgi_read_timeout 600;
        include fastcgi_params;
    }

    location ~ /\.ht {
        deny all;
    }
}

This is the local environment. I am using: laradock php 8

Answer 1

It is your rewrite ^/(.*)$ /index.php?route=/$1 last; rule adds an original URI as the first query argument. As rewrite documentation says :

If a replacement string includes the new request arguments, the previous request arguments are appended after them.

You can avoid adding an original URI as the first query argument specifically for the /email/verify/ route:

    if (!-e $request_filename)
    {
        # do not append an original URI to this route
        rewrite ^/email/verify/ /index.php last;
        # but append it to everything else
        rewrite ^/(.*)$ /index.php?/$1 last;
        break;
    }