fix: Remote Code Execution via Insecure Deserialization in OAuth2

Author: Pek5892

src/Models/OAuth2.php

@@ -148,7 +148,7 @@ public function getAccessToken()
     {
         $this->checkTokens();
 
-        return $this->attributes['access_token'] ? unserialize($this->attributes['access_token']) : null;
+        return $this->attributes['access_token'] ? unserialize($this->attributes['access_token'], ['allowed_classes' => [AccessToken::class]]) : null;
     }
 
     /**
@@ -190,7 +190,7 @@ protected function updateTokens($access_token, $refresh_token)
      */
     protected function checkTokens()
     {
-        $access_token = $this->access_token ? unserialize($this->access_token) : null;
+        $access_token = $this->access_token ? unserialize($this->access_token, ['allowed_classes' => [AccessToken::class]]) : null;
 
         if (!empty($access_token) && $access_token->hasExpired()) {
             // Tentativo di refresh del token di accesso