Passport: Invalid token cause 500 error.

I think this error is caused by Xdebug. It's not an error with this library.

@alexbilbie I get the same 500 response even without Xdebug, it exhausts memory:

[Wed Sep  6 08:27:58 2017] PHP Fatal error:  Allowed memory size of 536870912 bytes exhausted (tried to allocate 20480 bytes) in C:\Users\...\vendor\lea
gue\oauth2-server\src\Exception\OAuthServerException.php on line 168
[Wed Sep  6 08:27:58 2017] PHP Fatal error:  Allowed memory size of 536870912 bytes exhausted (tried to allocate 20480 bytes) in C:\Users\...\vendor\lar
avel\framework\src\Illuminate\Foundation\Bootstrap\HandleExceptions.php on line 122

Here are the references to other people experiencing the same:
https://github.com/laravel/passport/issues/289#issuecomment-312233456
https://github.com/laravel/passport/issues/101#issuecomment-315972058

So, this is what happens: if you're trying to request a resource that's protected by auth:api middleware without sending Authorization header, you get 401 as expected. But if you send an invalid token in the Authorization header (the one that doesn't exist, or some gibberish), you get 500 with no content. I think this issue needs to be re-opened.

I have the same problem.
@alexbilbie why this issue is closed?

After a little bit of digging I found out that the issue arises in the Laravel Exception Handler (framework/src/Illuminate/Foundation/Exceptions/Handler.php), function context() where it reaches for Auth. Quick workaround is to override that function in your own app/Exceptions/Handler.php:

    protected function context()
    {
        return [];
    }

Just be aware that in this case anywhere else your context (userId and email address of the user making the request) will not be logged when exception is thrown.

You can add OAuthServerException to $dontReport :

class Handler extends ExceptionHandler
{
    protected $dontReport = [
       ...
        \League\OAuth2\Server\Exception\OAuthServerException::class,
    ];
}

@abler98 thanks, that works as well, but also as a workaround if you don't want to log/report that exception.

@alexbilbie Why is this closed?

same issue for me

@abler98 , thank you . It works . But why?

Instead of ignoring all OAuthServerException exceptions I just remove user from context for OAuthServerException :

app\Exceptions\Handler.php

public function report(Exception $exception)
{
    if ($exception instanceof OAuthServerException) {
        try {
            $logger = $this->container->make(LoggerInterface::class);
        } catch (Exception $e) {
            throw $exception; // throw the original exception
        }

        $logger->error(
            $exception->getMessage(),
            ['exception' => $exception]
        );
    } else {
        parent::report($exception);
    }
}

But IMO right solution should be removing user from logger context, because Auth::user() depends on some Guards, Providers etc and even these might be coded by developer. Indeed I don't remember I need to know which user caused the exceptions. I am sure in some cases it might be critical but for me I didn't use it so far.

@ahalimkara, this looks like a better solution than not reporting the error. Specially because this exception is thrown if an possible attacker tries to use an invalid access token.

you can handle invalid token in app/exceptions/Handler.php just add unauthenticated method

protected function unauthenticated($request, AuthenticationException $exception)
{
//you can return 401 here, log your exception to db, etc
return'unauthorised';
}

same problem here,the workaround did the job.
instead of infinite loop i get a 401 "unauthenticated" exception

@terdia you solution didn't worked for me

@abler98 I tried your solution but it was still returning error.
This is the error i am having
flutter: {
"message": "Server error: POST http://mysecureview.ng/public/oauth/token resulted in a 500 Internal Server Error response:\n