Framework: [v7.22.0] Changes in EncryptCookies breaks with Passport

Created on 27 Jul 2020  路  6Comments  路  Source: laravel/framework


  • Laravel Version: 7.22.0
  • PHP Version: 7.4.7
  • Database Driver & Version: MySQL 8.0.19

Description:

The change in EncryptCookies by switching from
$request->cookies->set($key, $this->decryptCookie($key, $cookie));
to

$value = $this->decryptCookie($key, $cookie);

$request->cookies->set(
    $key, strpos($value, sha1($key).'|') !== 0 ? null : substr($value, 41)
);

and from
$cookie, $this->encrypter->encrypt($cookie->getValue(), static::serialized($cookie->getName()))
to:

$cookie,
                $this->encrypter->encrypt(
                    sha1($cookie->getName()).'|'.$cookie->getValue(),
                    static::serialized($cookie->getName())
                )

Steps To Reproduce:

Upgrade from 7.21.0 to 7.22.0 and routes within API which has the middleware auth:api will return 401. Reverting to 7.21 or changing the file in vendor will fix the issue again.

Env:

config/auth.php:

    'guards' => [
        'web' => [
            'driver' => 'session',
            'provider' => 'users',
        ],

        'api' => [
            'driver' => 'passport',
            'provider' => 'users',
        ],
    ],

laravel/passport v8.5.0

bug
Source
picture kepeder
👍5

Most helpful comment

We've released Passport v9.3.2 which fixes this. Thanks all.

picture driesvints on 27 Jul 2020
🎉21 👍1

All 6 comments

Heya, please see https://blog.laravel.com/security-release-laravel-61827-7220

You'll need to logout and re-login. We've also released a patch version just now which fixes CSRF.

On a side note: Passport 8 isn't maintained anymore. Please upgrade to Passport 9.

driesvints picture driesvints on 27 Jul 2020

Hm, this is also true for the latest passport, I did manually delete all cookies etc and still $request->user() is null

Eldair picture Eldair on 27 Jul 2020
👍2

This happened to me too on 7.22.2 (the version with CSRF fixed)

rennokki picture rennokki on 27 Jul 2020
👍1

Can confirm this issue is legitimate and this should be re-opened.

aaronhuisinga picture aaronhuisinga on 27 Jul 2020
👍1

Hey all, we've identified the problem and are working on a fix. Thanks.

driesvints picture driesvints on 27 Jul 2020
👍1

We've released Passport v9.3.2 which fixes this. Thanks all.

driesvints picture driesvints on 27 Jul 2020
🎉21 👍1
Was this page helpful?
0 / 5 - 0 ratings

Related issues

Anahkiasen picture Anahkiasen  路  3Comments
YannPl picture YannPl  路  3Comments
lzp819739483 picture lzp819739483  路  3Comments
fideloper picture fideloper  路  3Comments
JamborJan picture JamborJan  路  3Comments