Passport: Laravel 5.6.30 breaks passport
If you don't serialize the cookies this breaks passport authentication. On line 190 in src/Guards/TokenGuard.php.
/**
* Decode and decrypt the JWT token cookie.
*
* @param \Illuminate\Http\Request $request
* @return array
*/
protected function decodeJwtTokenCookie($request)
{
return (array) JWT::decode(
// This line does not disable serialization per EncryptCookies.php
$this->encrypter->decrypt($request->cookie(Passport::cookie())),
$this->encrypter->getKey(), ['HS256']
);
}
This is only the case if you make use of your passport api on your own site. (https://laravel.com/docs/5.6/passport#consuming-your-api-with-javascript)
krve
All 14 comments
Just to link in the context:
- https://laravel.com/docs/5.6/upgrade#upgrade-5.6.30
- EncryptCookies.php from start of serialization changes to 5.6.30
A temporary workaround within an individual app, until Passport no longer expects to deserialize, is to add
protected static $serialize = true;
to app/Http/Middleware/EncryptCookies.php (and clear cookies before trying to log in the first time). While this does let your app work, it also prevents you getting the benefit of the security fix (where someone who has access to your APP_KEY can create their own malicious cookies that get sent to the deserialize function).
philtweir
on 9 Aug 2018
Had to add that to EncryptCookies.php as well. Same issue.
poxin13
on 9 Aug 2018
Opened a PR to introduce a way to stop unserializing the cookie value:
themsaid
on 9 Aug 2018
@themsaid please don't forger about laravel/passport 4.0, the latest one supported by Laravel 5.5 LTS
plakhin
on 10 Aug 2018
@plakhin can you backport this PR to it?
themsaid
on 10 Aug 2018
@themsaid I'm to busy until next week. If no one will do, then I do, but a bit later.
plakhin
on 10 Aug 2018
@themsaid I have opened a PR to the 4.0 branch: #797
clnt
on 10 Aug 2018
I had this for version 4.0 and tried to composer update but it did not download the update, I had to target it directly
composer require laravel/passport:4.0.x-dev
simondavies
on 11 Aug 2018
this was driving me nutts for a couple of hours. @simondavies the version 5 will work just clear your cookies after adding in protected static $serialize = true;to the EncryptCookies.
prolonginc
on 15 Aug 2018
@prolonginc Why would you do that? That is just disabling the security fix. Version 5.0 is for Laravel 5.6 and not 5.5
@taylorotwell Can we not just get a version 4.0.4 tagged on the 4.0 branch??
clnt
on 15 Aug 2018
Could an artisan command be created to do this update for users? instead of breaking upon composer update? Just wondering didn't know if that would be a viable option.
amacsmith
on 15 Aug 2018
This issue made me tilt the whole day
NastuzziSamy
on 16 Aug 2018
If you have updated Laravel\Passport you should follow this:
Passport 6.0.7
Passport 6.0.7 has been released with a new Laravel\Passport\Passport::withoutCookieSerialization() method. Once you have disabled cookie serialization, you should call this method within your application's AppServiceProvider.
Using protected static $serialize = true; create a security issue...
NastuzziSamy
on 16 Aug 2018
I don't understand why Laravel serialize the cookie however...
yaquawa
on 28 Aug 2018
Related issues
cookiejarblush
·
4Comments
huiyonghkw
·
3Comments
MarkVilludo
·
3Comments
brryfrmnn
·
3Comments
parth-vora-7
·
4Comments
Most helpful comment
Just to link in the context:
A temporary workaround within an individual app, until Passport no longer expects to deserialize, is to add
to
app/Http/Middleware/EncryptCookies.php(and clear cookies before trying to log in the first time). While this does let your app work, it also prevents you getting the benefit of the security fix (where someone who has access to your APP_KEY can create their own malicious cookies that get sent to the deserialize function).