Skip to content

Commit 5bb6637

Browse files
prufrockprufrock
authored
Upgrade firebase/php-jwt to ^6.0 (#1538)
The firebase/php-jwt recently had to make breaking changes to resolve a security flaw in their library. This change upgrades that library and fixes the code that broke with the upgrade.
1 parent 31e4ec6 commit 5bb6637

File tree

4 files changed

+13
-13
lines changed

4 files changed

+13
-13
lines changed

composer.json

+1-1
Original file line numberDiff line numberDiff line change
@@ -16,7 +16,7 @@
1616
"require": {
1717
"php": "^7.3|^8.0",
1818
"ext-json": "*",
19-
"firebase/php-jwt": "^5.0",
19+
"firebase/php-jwt": "^6.0",
2020
"illuminate/auth": "^8.37|^9.0",
2121
"illuminate/console": "^8.37|^9.0",
2222
"illuminate/container": "^8.37|^9.0",

src/ApiTokenCookieFactory.php

+1-1
Original file line numberDiff line numberDiff line change
@@ -77,6 +77,6 @@ protected function createToken($userId, $csrfToken, Carbon $expiration)
7777
'sub' => $userId,
7878
'csrf' => $csrfToken,
7979
'expiry' => $expiration->getTimestamp(),
80-
], Passport::tokenEncryptionKey($this->encrypter));
80+
], Passport::tokenEncryptionKey($this->encrypter), 'HS256');
8181
}
8282
}

src/Guards/TokenGuard.php

+2-2
Original file line numberDiff line numberDiff line change
@@ -4,6 +4,7 @@
44

55
use Exception;
66
use Firebase\JWT\JWT;
7+
use Firebase\JWT\Key;
78
use Illuminate\Container\Container;
89
use Illuminate\Contracts\Debug\ExceptionHandler;
910
use Illuminate\Contracts\Encryption\Encrypter;
@@ -269,8 +270,7 @@ protected function decodeJwtTokenCookie($request)
269270
{
270271
return (array) JWT::decode(
271272
CookieValuePrefix::remove($this->encrypter->decrypt($request->cookie(Passport::cookie()), Passport::$unserializesCookies)),
272-
Passport::tokenEncryptionKey($this->encrypter),
273-
['HS256']
273+
new Key(Passport::tokenEncryptionKey($this->encrypter), 'HS256')
274274
);
275275
}
276276

tests/Unit/TokenGuardTest.php

+9-9
Original file line numberDiff line numberDiff line change
@@ -134,7 +134,7 @@ public function test_users_may_be_retrieved_from_cookies_with_csrf_token_header(
134134
'aud' => 1,
135135
'csrf' => 'token',
136136
'expiry' => Carbon::now()->addMinutes(10)->getTimestamp(),
137-
], str_repeat('a', 16)), false)
137+
], str_repeat('a', 16), 'HS256'), false)
138138
);
139139

140140
$userProvider->shouldReceive('retrieveById')->with(1)->andReturn($expectedUser = new TokenGuardTestUser);
@@ -167,7 +167,7 @@ public function test_users_may_be_retrieved_from_cookies_with_xsrf_token_header(
167167
'aud' => 1,
168168
'csrf' => 'token',
169169
'expiry' => Carbon::now()->addMinutes(10)->getTimestamp(),
170-
], str_repeat('a', 16)), false)
170+
], str_repeat('a', 16), 'HS256'), false)
171171
);
172172

173173
$userProvider->shouldReceive('retrieveById')->with(1)->andReturn($expectedUser = new TokenGuardTestUser);
@@ -196,7 +196,7 @@ public function test_cookie_xsrf_is_verified_against_csrf_token_header()
196196
'aud' => 1,
197197
'csrf' => 'token',
198198
'expiry' => Carbon::now()->addMinutes(10)->getTimestamp(),
199-
], str_repeat('a', 16)))
199+
], str_repeat('a', 16), 'HS256'))
200200
);
201201

202202
$userProvider->shouldReceive('retrieveById')->never();
@@ -222,7 +222,7 @@ public function test_cookie_xsrf_is_verified_against_xsrf_token_header()
222222
'aud' => 1,
223223
'csrf' => 'token',
224224
'expiry' => Carbon::now()->addMinutes(10)->getTimestamp(),
225-
], str_repeat('a', 16)))
225+
], str_repeat('a', 16), 'HS256'))
226226
);
227227

228228
$userProvider->shouldReceive('retrieveById')->never();
@@ -256,7 +256,7 @@ public function test_users_may_be_retrieved_from_cookies_with_xsrf_token_header_
256256
'aud' => 1,
257257
'csrf' => 'token',
258258
'expiry' => Carbon::now()->addMinutes(10)->getTimestamp(),
259-
], Passport::tokenEncryptionKey($encrypter)), false)
259+
], Passport::tokenEncryptionKey($encrypter), 'HS256'), false)
260260
);
261261

262262
$userProvider->shouldReceive('retrieveById')->with(1)->andReturn($expectedUser = new TokenGuardTestUser);
@@ -288,7 +288,7 @@ public function test_xsrf_token_cookie_without_a_token_header_is_not_accepted()
288288
'aud' => 1,
289289
'csrf' => 'token',
290290
'expiry' => Carbon::now()->addMinutes(10)->getTimestamp(),
291-
], str_repeat('a', 16)))
291+
], str_repeat('a', 16), 'HS256'))
292292
);
293293

294294
$userProvider->shouldReceive('retrieveById')->never();
@@ -314,7 +314,7 @@ public function test_expired_cookies_may_not_be_used()
314314
'aud' => 1,
315315
'csrf' => 'token',
316316
'expiry' => Carbon::now()->subMinutes(10)->getTimestamp(),
317-
], str_repeat('a', 16)))
317+
], str_repeat('a', 16), 'HS256'))
318318
);
319319

320320
$userProvider->shouldReceive('retrieveById')->never();
@@ -344,7 +344,7 @@ public function test_csrf_check_can_be_disabled()
344344
'sub' => 1,
345345
'aud' => 1,
346346
'expiry' => Carbon::now()->addMinutes(10)->getTimestamp(),
347-
], str_repeat('a', 16)), false)
347+
], str_repeat('a', 16), 'HS256'), false)
348348
);
349349

350350
$userProvider->shouldReceive('retrieveById')->with(1)->andReturn($expectedUser = new TokenGuardTestUser);
@@ -443,7 +443,7 @@ public function test_clients_may_be_retrieved_from_cookies()
443443
'aud' => 1,
444444
'csrf' => 'token',
445445
'expiry' => Carbon::now()->addMinutes(10)->getTimestamp(),
446-
], str_repeat('a', 16)), false)
446+
], str_repeat('a', 16), 'HS256'), false)
447447
);
448448

449449
$clients->shouldReceive('findActive')->with(1)->andReturn($expectedClient = new TokenGuardTestClient);

0 commit comments

Comments
 (0)