Framework: Api authentication fails with passport guard due to cookie prefix not being removed from JWT token

Created on 9 Sep 2020  路  9Comments  路  Source: laravel/framework


  • Laravel Version: 7.28.0
  • PHP Version: 7.3.15
  • Database Driver & Version: MySQL 5.7

Description:

When i use the default laravel api endpoints with the builtin axios javascript library passport api:auth is broken. After extensive debugging of the laravel framework i found the problem is the decrypted laravel_token which is fed to JWT::decode(). The CookieValuePrefix, which is added on cookie create, is not removed in the Passport TokenGuard after decrypting so validating the JWT token fails and an "Unauthenticated" message is returned.

The fix is to remove the cookie prefix before JWT::decode is called.

I Changed Laravel\Passport\Guards\TokenGuard from:

    protected function decodeJwtTokenCookie($request)
    {
        return (array) JWT::decode(
            $this->encrypter->decrypt($request->cookie(Passport::cookie()), Passport::$unserializesCookies),
            $this->encrypter->getKey(),
            ['HS256']
        );
    }

to:

    protected function decodeJwtTokenCookie($request)
    {
        return (array) JWT::decode(
            CookieValuePrefix::remove($this->encrypter->decrypt($request->cookie(Passport::cookie()), Passport::$unserializesCookies)),
            $this->encrypter->getKey(),
            ['HS256']
        );
    }

Steps To Reproduce:

Upgade from < 5.6.30 to 7.28.0
And using CreateFreshApiToken -> https://laravel.com/docs/7.x/passport#consuming-your-api-with-javascript

needs more info
Source
picture bertploeger

Most helpful comment

You need to upgrade to Passport v9.3.2 which fixes this.

picture driesvints on 9 Sep 2020
🎉4

All 9 comments

Which passport version are you using?

driesvints picture driesvints on 9 Sep 2020

I have the same issue, and I'm using Laravel Passport version 8.5 according to my composer.lock. My composer.json is set to "laravel/passport": "^8.4",

Also I can pinpoint that on Laravel 7.15 using the CreateFreshApiToken works, but in 7.16 it doesn't.

andymnewhouse picture andymnewhouse on 9 Sep 2020

You need to upgrade to Passport v9.3.2 which fixes this.

driesvints picture driesvints on 9 Sep 2020
🎉4

Gonna close this as I suspect the OP is also using an outdated Passport version.

driesvints picture driesvints on 9 Sep 2020

I was using passport 7.2.4. Updating to 9.3.2 fixed the issue.
I assumed that running composer update after updating to laravel 7 in composer.json would also update passport to a working (non breaking) version. That is not the case unfortunately.

Thank you for your answer and i hope this helps others fixing this when they encounter the same issue.

bertploeger picture bertploeger on 10 Sep 2020

@bertploeger when upgrading to new major versions you always have to do that manually.

driesvints picture driesvints on 10 Sep 2020

It would be nice if this would be backported to 7.x and 8.x too, since this took days to debug and find this ticket 馃お

E.g. in Laravel 6.x LTS this is now broken by default if you follow the upgrade guides (Laravel 5.7 tells you to install passport ^7.0), so you are still on 7.x once you are at Laravel 6.

HenkPoley picture HenkPoley on 17 Sep 2020

We don't maintain old passport versions. The newer passport supports both Laravel 6 and 7. Laravel 5.7 isn't supported anymore.

driesvints picture driesvints on 17 Sep 2020

I'm just saying I followed official guides and those recommend me to upgrade to a broken passport version.

If you _like_ keeping that broken, is not my problem right now. But it is annoying to everybody else.

HenkPoley picture HenkPoley on 17 Sep 2020
Was this page helpful?
0 / 5 - 0 ratings

Related issues

lzp819739483 picture lzp819739483  路  3Comments
felixsanz picture felixsanz  路  3Comments
JamborJan picture JamborJan  路  3Comments
klimentLambevski picture klimentLambevski  路  3Comments
ghost picture ghost  路  3Comments