Passport: Expires_at column not verified in token validation
Hi,
I noticed that the expires_at column from the "oauth_access_tokens" table is not checked during the token validation, which grants access to users with expired tokens.
For testing, I've used the sample application in the repository below:
https://github.com/neoighodaro/laravel-passport-demo
After running "php artisan passport:install" command, I manually updated the "expires_at" column to a date in the past.
But, the consumer service could still retrieve the results, even with the token expired.
I checked the MYSQL log using :
SET GLOBAL general_log = 'ON';
And the executed query was:
select * fromoauth_access_tokenswhereoauth_access_tokens.id= '3e19b972734fcfdf7951de363fc5e9aeab9ea962cf0de7d686a6d2805879d1c4cfa624973eec6ebf' limit 1
I think it should be:
select * fromoauth_access_tokenswhereoauth_access_tokens.id= '3e19b972734fcfdf7951de363fc5e9aeab9ea962cf0de7d686a6d2805879d1c4cfa624973eec6ebf' and revoked = 0 and expires_at >= "<Carbon::now()>" limit 1
aluferraz
All 3 comments
I don't think at the point that it _queries_ for the token it wants to check either revoked or expires_at. I think at the point in the code where it checks if the token has been revoked it could check the expires_at also.
However, from what I've looked at, the tokens are self-encoded, which means that it can be used in certain cases where it might be impractical or even impossible to verify the token against a database.
That being the case, it's probably for the best to _not_ have a possible case where the expires_at _inside_ the token might potentially be negated by an external (e.g. in the DB) expires_at in certain circumstances, as this could lead to confusion or unexpected compromise.
You could argue that the revoked column suffers the same problem. But that's a debate for another time. I'm grateful for it in Passport, even if it doesn't guarantee anything across more complex scenarios.
Ultimately, my thoughts have come round to this: the expires_at column is best left as a read-only indicator and shouldn't be updated.
simonhamp
on 8 Sep 2017
the expires_at value is coded inside your access token and can not be modified. Updating expires_at column won't change your access token expiration and it is expected behavior.
michaelnguyen2021
on 16 Oct 2018
Think this question was correctly answered by @simonhamp and @michaelnguyen547. Thanks guys 馃憤
driesvints
on 18 Oct 2018
Related issues
cookiejarblush
路
4Comments
duccanh0022
路
3Comments
Patskimoto
路
3Comments
ghost
路
3Comments
raksrivastava
路
3Comments
Most helpful comment
the expires_at value is coded inside your access token and can not be modified. Updating expires_at column won't change your access token expiration and it is expected behavior.