Laravel 5.6.30 breaks passport

[krve]

If you don't serialize the cookies this breaks passport authentication. On line 190 in src/Guards/TokenGuard.php.

/**
 * Decode and decrypt the JWT token cookie.
 *
 * @param  \Illuminate\Http\Request  $request
 * @return array
 */
protected function decodeJwtTokenCookie($request)
{
    return (array) JWT::decode(
        // This line does not disable serialization per EncryptCookies.php
        $this->encrypter->decrypt($request->cookie(Passport::cookie())),
        $this->encrypter->getKey(), ['HS256']
    );
}

This is only the case if you make use of your passport api on your own site. (https://laravel.com/docs/5.6/passport#consuming-your-api-with-javascript)

[philtweir]

Just to link in the context:

• https://laravel.com/docs/5.6/upgrade#upgrade-5.6.30
• EncryptCookies.php from start of serialization changes to 5.6.30

A temporary workaround within an individual app, until Passport no longer expects to deserialize, is to add

protected static $serialize = true;

to app/Http/Middleware/EncryptCookies.php (and clear cookies before trying to log in the first time). While this does let your app work, it also prevents you getting the benefit of the security fix (where someone who has access to your APP_KEY can create their own malicious cookies that get sent to the deserialize function).

[poxin13]

Had to add that to EncryptCookies.php as well. Same issue.

[themsaid]

Opened a PR to introduce a way to stop unserializing the cookie value:

#796

[plakhin]

@themsaid please don't forger about laravel/passport 4.0, the latest one supported by Laravel 5.5 LTS

[themsaid]

@plakhin can you backport this PR to it?

[plakhin]

@themsaid I'm to busy until next week. If no one will do, then I do, but a bit later.

[clnt]

@themsaid I have opened a PR to the 4.0 branch: #797

[simondavies]

I had this for version 4.0 and tried to composer update but it did not download the update, I had to target it directly

composer require laravel/passport:4.0.x-dev

[prolonginc]

this was driving me nutts for a couple of hours. @simondavies the version 5 will work just clear your cookies after adding in protected static $serialize = true; to the EncryptCookies.

[clnt]

@prolonginc Why would you do that? That is just disabling the security fix. Version 5.0 is for Laravel 5.6 and not 5.5

@taylorotwell Can we not just get a version 4.0.4 tagged on the 4.0 branch??

[amacsmith]

Could an artisan command be created to do this update for users? instead of breaking upon composer update? Just wondering didn't know if that would be a viable option.

[NastuzziSamy]

This issue made me tilt the whole day

[NastuzziSamy]

If you have updated Laravel\Passport you should follow this:

Passport 6.0.7

Passport 6.0.7 has been released with a new Laravel\Passport\Passport::withoutCookieSerialization() method. Once you have disabled cookie serialization, you should call this method within your application's AppServiceProvider.

Using protected static $serialize = true; create a security issue...

[yaquawa]

I don't understand why Laravel serialize the cookie however...