Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Purge command using wrong query for expired tokens #1770

Closed
ssanchez23 opened this issue Jul 8, 2024 · 2 comments · Fixed by #1772
Closed

Purge command using wrong query for expired tokens #1770

ssanchez23 opened this issue Jul 8, 2024 · 2 comments · Fixed by #1772
Labels
help wanted

Comments

@ssanchez23
Copy link

Passport Version

12.2.0

Laravel Version

11.10

PHP Version

8.3.7

Database Driver & Version

MySQL 8.3.0

Description

When you use the command passport:purge to purge all the revoked and expired tokens, if you use the argument --hours; the tokens that expire the same day as today; are not going to expire until the next day.

The problem is in the PurgeCommand class, that the query for controlling the expired tokens, is using whereDate and orWhereDate; instead of where and orWhere. With this condition, the hours argument is not taken into account, so, tokens that expired one hour ago, are going to work all day, because, there is an another error, that the expired tokens, still work and are not revoked.

Apart from this version of the library, there is a Laravel 9.52.5, with Passport 11.8.4, PHP 8.1.16 and MySQL 5.7.11 with the same error.

Steps To Reproduce

  1. Create a token with a expires_at date of today.
  2. Change the date manually or wait until the token is expired.
  3. Use the passport:purge --hours=1 command to purge all revoked and expired tokens for more than 1 hour.
  4. Check that the revoked tokens are purged, but the expired token not.

Creating a scheduled task to execute this instead of the purge command, works:

$expired = Carbon::now();

Passport::token()->where('revoked', 1)->orWhere('expires_at', '<', $expired)->delete();
Passport::authCode()->where('revoked', 1)->orWhere('expires_at', '<', $expired)->delete();
Passport::refreshToken()->where('revoked', 1)->orWhere('expires_at', '<', $expired)->delete();

The queries are the same as the PurgeCommand class, lines 41-43. The change has to be done also in lines 55-57.
@driesvints
Copy link
Member

Thank you for this report. We'd appreciate some help, probably through a PR to improve this one.

@github-actions GitHub Actions
Copy link

github-actions bot commented Jul 8, 2024

Thank you for reporting this issue!

As Laravel is an open source project, we rely on the community to help us diagnose and fix issues as it is not possible to research and fix every issue reported to us via GitHub.

If possible, please make a pull request fixing the issue you have described, along with corresponding tests. All pull requests are promptly reviewed by the Laravel team.

Thank you!

@hafezdivandari hafezdivandari mentioned this issue Jul 9, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
help wanted
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

[12.x] Fix purge command hafezdivandari/passport
4 participants
@driesvints @jessarcher @timacdonald @ssanchez23