From e5a53c6d8ec23dac1c566d2c22dfc68f839db976 Mon Sep 17 00:00:00 2001 From: Sebastiaan Luca Date: Sun, 22 Dec 2019 13:58:52 +0100 Subject: [PATCH 01/12] Enable the option of hashing client secrets --- ...6_01_000004_create_oauth_clients_table.php | 2 +- src/Bridge/ClientRepository.php | 27 ++++++++++++- src/Client.php | 38 +++++++++++++++++++ src/Passport.php | 19 ++++++++++ 4 files changed, 83 insertions(+), 3 deletions(-) diff --git a/database/migrations/2016_06_01_000004_create_oauth_clients_table.php b/database/migrations/2016_06_01_000004_create_oauth_clients_table.php index 2141e9973..cb1617d77 100644 --- a/database/migrations/2016_06_01_000004_create_oauth_clients_table.php +++ b/database/migrations/2016_06_01_000004_create_oauth_clients_table.php @@ -17,7 +17,7 @@ public function up() $table->increments('id'); $table->bigInteger('user_id')->index()->nullable(); $table->string('name'); - $table->string('secret', 100)->nullable(); + $table->string('secret')->nullable(); $table->text('redirect'); $table->boolean('personal_access_client'); $table->boolean('password_client'); diff --git a/src/Bridge/ClientRepository.php b/src/Bridge/ClientRepository.php index 9cd17762e..b58b272bc 100644 --- a/src/Bridge/ClientRepository.php +++ b/src/Bridge/ClientRepository.php @@ -2,7 +2,9 @@ namespace Laravel\Passport\Bridge; +use Illuminate\Contracts\Hashing\Hasher; use Laravel\Passport\ClientRepository as ClientModelRepository; +use Laravel\Passport\Passport; use League\OAuth2\Server\Repositories\ClientRepositoryInterface; class ClientRepository implements ClientRepositoryInterface @@ -14,15 +16,22 @@ class ClientRepository implements ClientRepositoryInterface */ protected $clients; + /** + * @var \Illuminate\Contracts\Hashing\Hasher + */ + protected $hasher; + /** * Create a new repository instance. * * @param \Laravel\Passport\ClientRepository $clients + * @param \Illuminate\Contracts\Hashing\Hasher $hasher * @return void */ - public function __construct(ClientModelRepository $clients) + public function __construct(ClientModelRepository $clients, Hasher $hasher) { $this->clients = $clients; + $this->hasher = $hasher; } /** @@ -55,7 +64,7 @@ public function validateClient($clientIdentifier, $clientSecret, $grantType) return false; } - return ! $record->confidential() || hash_equals($record->secret, (string) $clientSecret); + return ! $record->confidential() || $this->verifySecret($record->secret, (string) $clientSecret); } /** @@ -84,4 +93,18 @@ protected function handlesGrant($record, $grantType) return true; } } + + /** + * @param string $storedHash + * @param string $clientSecret + * @return bool + */ + protected function verifySecret($storedHash, $clientSecret) + { + if (Passport::$useHashedClientSecrets) { + return $this->hasher->check($clientSecret, $storedHash); + } + + return hash_equals($storedHash, $clientSecret); + } } diff --git a/src/Client.php b/src/Client.php index 51b2b7013..e62ead6ff 100644 --- a/src/Client.php +++ b/src/Client.php @@ -2,6 +2,7 @@ namespace Laravel\Passport; +use Illuminate\Contracts\Hashing\Hasher; use Illuminate\Database\Eloquent\Model; class Client extends Model @@ -41,6 +42,13 @@ class Client extends Model 'revoked' => 'bool', ]; + /** + * The temporary non-hashed client secret. + * + * @var string|null + */ + protected $plainSecret; + /** * Get the user that the client belongs to. * @@ -73,6 +81,36 @@ public function tokens() return $this->hasMany(Passport::tokenModel(), 'client_id'); } + /** + * @param string|null $value + */ + public function setSecretAttribute($value) + { + $this->plainSecret = $value; + + if ($value === null || ! Passport::$useHashedClientSecrets) { + $this->attributes['secret'] = $value; + + return; + } + + $this->attributes['secret'] = app(Hasher::class)->make($value); + } + + /** + * The temporary non-hashed client secret. + * + * If you're using hashed client secrets, this value will only be available + * once during the request the client was created. Afterwards, it cannot + * be retrieved or decrypted anymore. + * + * @return string|null + */ + public function plainSecret() + { + return $this->plainSecret; + } + /** * Determine if the client is a "first party" client. * diff --git a/src/Passport.php b/src/Passport.php index a68546951..6a26ea6b1 100644 --- a/src/Passport.php +++ b/src/Passport.php @@ -146,6 +146,13 @@ class Passport */ public static $unserializesCookies = false; + /** + * + * + * @var bool + */ + public static $useHashedClientSecrets = false; + /** * Indicates the scope should inherit its parent scope. * @@ -637,6 +644,18 @@ public static function ignoreMigrations() return new static; } + /** + * Configure Passport to hash client credential secrets. + * + * @return static + */ + public static function useHashedClientSecrets() + { + static::$useHashedClientSecrets = true; + + return new static; + } + /** * Instruct Passport to enable cookie serialization. * From 68bd83af45e01aaaf3da63e51d946b158bec0b99 Mon Sep 17 00:00:00 2001 From: Sebastiaan Luca Date: Sun, 22 Dec 2019 14:03:43 +0100 Subject: [PATCH 02/12] Alias HasherContract --- src/Bridge/ClientRepository.php | 4 ++-- src/Client.php | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/src/Bridge/ClientRepository.php b/src/Bridge/ClientRepository.php index b58b272bc..7ccf5d0f1 100644 --- a/src/Bridge/ClientRepository.php +++ b/src/Bridge/ClientRepository.php @@ -2,7 +2,7 @@ namespace Laravel\Passport\Bridge; -use Illuminate\Contracts\Hashing\Hasher; +use Illuminate\Contracts\Hashing\Hasher as HasherContract; use Laravel\Passport\ClientRepository as ClientModelRepository; use Laravel\Passport\Passport; use League\OAuth2\Server\Repositories\ClientRepositoryInterface; @@ -28,7 +28,7 @@ class ClientRepository implements ClientRepositoryInterface * @param \Illuminate\Contracts\Hashing\Hasher $hasher * @return void */ - public function __construct(ClientModelRepository $clients, Hasher $hasher) + public function __construct(ClientModelRepository $clients, HasherContract $hasher) { $this->clients = $clients; $this->hasher = $hasher; diff --git a/src/Client.php b/src/Client.php index e62ead6ff..efe0cc6d9 100644 --- a/src/Client.php +++ b/src/Client.php @@ -2,7 +2,7 @@ namespace Laravel\Passport; -use Illuminate\Contracts\Hashing\Hasher; +use Illuminate\Contracts\Hashing\Hasher as HasherContract; use Illuminate\Database\Eloquent\Model; class Client extends Model @@ -94,7 +94,7 @@ public function setSecretAttribute($value) return; } - $this->attributes['secret'] = app(Hasher::class)->make($value); + $this->attributes['secret'] = app(HasherContract::class)->make($value); } /** From 4fe227de8b9b93e233064f23dcab9ba413017c1a Mon Sep 17 00:00:00 2001 From: Sebastiaan Luca Date: Sun, 22 Dec 2019 14:09:13 +0100 Subject: [PATCH 03/12] Provide hasher to constructor in test --- tests/BridgeClientRepositoryTest.php | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/tests/BridgeClientRepositoryTest.php b/tests/BridgeClientRepositoryTest.php index 94a014323..fa5260946 100644 --- a/tests/BridgeClientRepositoryTest.php +++ b/tests/BridgeClientRepositoryTest.php @@ -2,6 +2,7 @@ namespace Laravel\Passport\Tests; +use Illuminate\Contracts\Hashing\Hasher; use Laravel\Passport\Bridge\Client; use Laravel\Passport\Bridge\ClientRepository as BridgeClientRepository; use Laravel\Passport\ClientRepository; @@ -22,13 +23,15 @@ class BridgeClientRepositoryTest extends TestCase protected function setUp(): void { + $hasher = m::mock(Hasher::class); + $clientModelRepository = m::mock(ClientRepository::class); $clientModelRepository->shouldReceive('findActive') ->with(1) ->andReturn(new BridgeClientRepositoryTestClientStub); $this->clientModelRepository = $clientModelRepository; - $this->repository = new BridgeClientRepository($clientModelRepository); + $this->repository = new BridgeClientRepository($clientModelRepository, $hasher); } protected function tearDown(): void From 04d952b9e370c0824644289907c6e02c1b188495 Mon Sep 17 00:00:00 2001 From: Sebastiaan Luca Date: Sun, 22 Dec 2019 14:13:54 +0100 Subject: [PATCH 04/12] Use model attribute getter to return plain secret --- src/Client.php | 28 ++++++++++++++-------------- 1 file changed, 14 insertions(+), 14 deletions(-) diff --git a/src/Client.php b/src/Client.php index efe0cc6d9..ca9a4cb0b 100644 --- a/src/Client.php +++ b/src/Client.php @@ -81,6 +81,20 @@ public function tokens() return $this->hasMany(Passport::tokenModel(), 'client_id'); } + /** + * The temporary non-hashed client secret. + * + * If you're using hashed client secrets, this value will only be available + * once during the request the client was created. Afterwards, it cannot + * be retrieved or decrypted anymore. + * + * @return string|null + */ + public function getPlainSecretAttribute() + { + return $this->plainSecret; + } + /** * @param string|null $value */ @@ -97,20 +111,6 @@ public function setSecretAttribute($value) $this->attributes['secret'] = app(HasherContract::class)->make($value); } - /** - * The temporary non-hashed client secret. - * - * If you're using hashed client secrets, this value will only be available - * once during the request the client was created. Afterwards, it cannot - * be retrieved or decrypted anymore. - * - * @return string|null - */ - public function plainSecret() - { - return $this->plainSecret; - } - /** * Determine if the client is a "first party" client. * From 6aa59b0982f4332c3642825d4c23856f2b9ae02c Mon Sep 17 00:00:00 2001 From: Sebastiaan Luca Date: Sun, 22 Dec 2019 16:51:56 +0100 Subject: [PATCH 05/12] Flip method parameters for convention --- src/Bridge/ClientRepository.php | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/src/Bridge/ClientRepository.php b/src/Bridge/ClientRepository.php index 7ccf5d0f1..536ccb37f 100644 --- a/src/Bridge/ClientRepository.php +++ b/src/Bridge/ClientRepository.php @@ -64,7 +64,7 @@ public function validateClient($clientIdentifier, $clientSecret, $grantType) return false; } - return ! $record->confidential() || $this->verifySecret($record->secret, (string) $clientSecret); + return ! $record->confidential() || $this->verifySecret((string) $clientSecret, $record->secret); } /** @@ -95,11 +95,11 @@ protected function handlesGrant($record, $grantType) } /** - * @param string $storedHash * @param string $clientSecret + * @param string $storedHash * @return bool */ - protected function verifySecret($storedHash, $clientSecret) + protected function verifySecret($clientSecret, $storedHash) { if (Passport::$useHashedClientSecrets) { return $this->hasher->check($clientSecret, $storedHash); From 6b23d3966f29c8484337ba653b1518d411878baf Mon Sep 17 00:00:00 2001 From: Sebastiaan Luca Date: Sun, 22 Dec 2019 16:59:15 +0100 Subject: [PATCH 06/12] Add hashed client secrets tests --- ...ridgeClientRepositoryHashedSecretsTest.php | 62 +++++++++++++++++++ tests/BridgeClientRepositoryTest.php | 4 +- 2 files changed, 64 insertions(+), 2 deletions(-) create mode 100644 tests/BridgeClientRepositoryHashedSecretsTest.php diff --git a/tests/BridgeClientRepositoryHashedSecretsTest.php b/tests/BridgeClientRepositoryHashedSecretsTest.php new file mode 100644 index 000000000..db4b44d79 --- /dev/null +++ b/tests/BridgeClientRepositoryHashedSecretsTest.php @@ -0,0 +1,62 @@ +shouldReceive('check') + ->with('secret', 'hashedsecret') + ->andReturnTrue(); + + $hasher->shouldReceive('check') + ->with('wrong-secret', 'hashedsecret') + ->andReturnFalse(); + + $clientModelRepository = m::mock(ClientRepository::class); + $clientModelRepository->shouldReceive('findActive') + ->with(1) + ->andReturn(new BridgeClientRepositoryHashedTestClientStub); + + $this->clientModelRepository = $clientModelRepository; + $this->repository = new BridgeClientRepository($clientModelRepository, $hasher); + } +} + +class BridgeClientRepositoryHashedTestClientStub +{ + public $name = 'Client'; + + public $redirect = 'http://localhost'; + + public $secret = 'hashedsecret'; + + public $personal_access_client = false; + + public $password_client = false; + + public $grant_types; + + public function firstParty() + { + return $this->personal_access_client || $this->password_client; + } + + public function confidential() + { + return ! empty($this->secret); + } +} diff --git a/tests/BridgeClientRepositoryTest.php b/tests/BridgeClientRepositoryTest.php index fa5260946..b06f29a40 100644 --- a/tests/BridgeClientRepositoryTest.php +++ b/tests/BridgeClientRepositoryTest.php @@ -14,12 +14,12 @@ class BridgeClientRepositoryTest extends TestCase /** * @var \Laravel\Passport\ClientRepository */ - private $clientModelRepository; + protected $clientModelRepository; /** * @var \Laravel\Passport\Bridge\ClientRepository */ - private $repository; + protected $repository; protected function setUp(): void { From 1a73c40b634ecf35d7766de36c57d8fc76c9d9be Mon Sep 17 00:00:00 2001 From: Sebastiaan Luca Date: Sun, 22 Dec 2019 17:29:41 +0100 Subject: [PATCH 07/12] Format code --- src/Passport.php | 2 -- tests/BridgeClientRepositoryHashedSecretsTest.php | 2 -- 2 files changed, 4 deletions(-) diff --git a/src/Passport.php b/src/Passport.php index 6a26ea6b1..e9b04fdb8 100644 --- a/src/Passport.php +++ b/src/Passport.php @@ -147,8 +147,6 @@ class Passport public static $unserializesCookies = false; /** - * - * * @var bool */ public static $useHashedClientSecrets = false; diff --git a/tests/BridgeClientRepositoryHashedSecretsTest.php b/tests/BridgeClientRepositoryHashedSecretsTest.php index db4b44d79..0c0c21bf9 100644 --- a/tests/BridgeClientRepositoryHashedSecretsTest.php +++ b/tests/BridgeClientRepositoryHashedSecretsTest.php @@ -3,12 +3,10 @@ namespace Laravel\Passport\Tests; use Illuminate\Contracts\Hashing\Hasher; -use Laravel\Passport\Bridge\Client; use Laravel\Passport\Bridge\ClientRepository as BridgeClientRepository; use Laravel\Passport\ClientRepository; use Laravel\Passport\Passport; use Mockery as m; -use PHPUnit\Framework\TestCase; class BridgeClientRepositoryHashedSecretsTest extends BridgeClientRepositoryTest { From 4b140ff02984874035954751ac966dca1080dec5 Mon Sep 17 00:00:00 2001 From: Sebastiaan Luca Date: Sun, 22 Dec 2019 17:46:53 +0100 Subject: [PATCH 08/12] Fix tests Explicitly disable public static check to use hashed secrets when running all tests --- tests/BridgeClientRepositoryHashedSecretsTest.php | 2 ++ tests/BridgeClientRepositoryTest.php | 9 +++++++++ 2 files changed, 11 insertions(+) diff --git a/tests/BridgeClientRepositoryHashedSecretsTest.php b/tests/BridgeClientRepositoryHashedSecretsTest.php index 0c0c21bf9..5f1a78cfc 100644 --- a/tests/BridgeClientRepositoryHashedSecretsTest.php +++ b/tests/BridgeClientRepositoryHashedSecretsTest.php @@ -30,6 +30,8 @@ protected function setUp(): void ->andReturn(new BridgeClientRepositoryHashedTestClientStub); $this->clientModelRepository = $clientModelRepository; + $this->hasher = $hasher; + $this->repository = new BridgeClientRepository($clientModelRepository, $hasher); } } diff --git a/tests/BridgeClientRepositoryTest.php b/tests/BridgeClientRepositoryTest.php index b06f29a40..9e4add185 100644 --- a/tests/BridgeClientRepositoryTest.php +++ b/tests/BridgeClientRepositoryTest.php @@ -6,6 +6,7 @@ use Laravel\Passport\Bridge\Client; use Laravel\Passport\Bridge\ClientRepository as BridgeClientRepository; use Laravel\Passport\ClientRepository; +use Laravel\Passport\Passport; use Mockery as m; use PHPUnit\Framework\TestCase; @@ -16,6 +17,11 @@ class BridgeClientRepositoryTest extends TestCase */ protected $clientModelRepository; + /** + * @var \Illuminate\Contracts\Hashing\Hasher + */ + protected $hasher; + /** * @var \Laravel\Passport\Bridge\ClientRepository */ @@ -23,6 +29,8 @@ class BridgeClientRepositoryTest extends TestCase protected function setUp(): void { + Passport::$useHashedClientSecrets = false; + $hasher = m::mock(Hasher::class); $clientModelRepository = m::mock(ClientRepository::class); @@ -31,6 +39,7 @@ protected function setUp(): void ->andReturn(new BridgeClientRepositoryTestClientStub); $this->clientModelRepository = $clientModelRepository; + $this->hasher = $hasher; $this->repository = new BridgeClientRepository($clientModelRepository, $hasher); } From 91cbc05838757902581320b3d021fb5029479757 Mon Sep 17 00:00:00 2001 From: Sebastiaan Luca Date: Mon, 23 Dec 2019 21:43:13 +0100 Subject: [PATCH 09/12] Use SHA-256 hashing for client secrets --- ...6_01_000004_create_oauth_clients_table.php | 2 +- src/Bridge/ClientRepository.php | 12 +----- src/Client.php | 3 +- ...ridgeClientRepositoryHashedSecretsTest.php | 38 ++----------------- tests/BridgeClientRepositoryTest.php | 6 +-- 5 files changed, 8 insertions(+), 53 deletions(-) diff --git a/database/migrations/2016_06_01_000004_create_oauth_clients_table.php b/database/migrations/2016_06_01_000004_create_oauth_clients_table.php index cb1617d77..2141e9973 100644 --- a/database/migrations/2016_06_01_000004_create_oauth_clients_table.php +++ b/database/migrations/2016_06_01_000004_create_oauth_clients_table.php @@ -17,7 +17,7 @@ public function up() $table->increments('id'); $table->bigInteger('user_id')->index()->nullable(); $table->string('name'); - $table->string('secret')->nullable(); + $table->string('secret', 100)->nullable(); $table->text('redirect'); $table->boolean('personal_access_client'); $table->boolean('password_client'); diff --git a/src/Bridge/ClientRepository.php b/src/Bridge/ClientRepository.php index 536ccb37f..07b0bbfea 100644 --- a/src/Bridge/ClientRepository.php +++ b/src/Bridge/ClientRepository.php @@ -2,7 +2,6 @@ namespace Laravel\Passport\Bridge; -use Illuminate\Contracts\Hashing\Hasher as HasherContract; use Laravel\Passport\ClientRepository as ClientModelRepository; use Laravel\Passport\Passport; use League\OAuth2\Server\Repositories\ClientRepositoryInterface; @@ -16,22 +15,15 @@ class ClientRepository implements ClientRepositoryInterface */ protected $clients; - /** - * @var \Illuminate\Contracts\Hashing\Hasher - */ - protected $hasher; - /** * Create a new repository instance. * * @param \Laravel\Passport\ClientRepository $clients - * @param \Illuminate\Contracts\Hashing\Hasher $hasher * @return void */ - public function __construct(ClientModelRepository $clients, HasherContract $hasher) + public function __construct(ClientModelRepository $clients) { $this->clients = $clients; - $this->hasher = $hasher; } /** @@ -102,7 +94,7 @@ protected function handlesGrant($record, $grantType) protected function verifySecret($clientSecret, $storedHash) { if (Passport::$useHashedClientSecrets) { - return $this->hasher->check($clientSecret, $storedHash); + return password_verify($clientSecret, $storedHash); } return hash_equals($storedHash, $clientSecret); diff --git a/src/Client.php b/src/Client.php index ca9a4cb0b..d50847725 100644 --- a/src/Client.php +++ b/src/Client.php @@ -2,7 +2,6 @@ namespace Laravel\Passport; -use Illuminate\Contracts\Hashing\Hasher as HasherContract; use Illuminate\Database\Eloquent\Model; class Client extends Model @@ -108,7 +107,7 @@ public function setSecretAttribute($value) return; } - $this->attributes['secret'] = app(HasherContract::class)->make($value); + $this->attributes['secret'] = password_hash($value, CRYPT_SHA256); } /** diff --git a/tests/BridgeClientRepositoryHashedSecretsTest.php b/tests/BridgeClientRepositoryHashedSecretsTest.php index 5f1a78cfc..b74de0b41 100644 --- a/tests/BridgeClientRepositoryHashedSecretsTest.php +++ b/tests/BridgeClientRepositoryHashedSecretsTest.php @@ -2,7 +2,6 @@ namespace Laravel\Passport\Tests; -use Illuminate\Contracts\Hashing\Hasher; use Laravel\Passport\Bridge\ClientRepository as BridgeClientRepository; use Laravel\Passport\ClientRepository; use Laravel\Passport\Passport; @@ -14,49 +13,18 @@ protected function setUp(): void { Passport::useHashedClientSecrets(); - $hasher = m::mock(Hasher::class); - - $hasher->shouldReceive('check') - ->with('secret', 'hashedsecret') - ->andReturnTrue(); - - $hasher->shouldReceive('check') - ->with('wrong-secret', 'hashedsecret') - ->andReturnFalse(); - $clientModelRepository = m::mock(ClientRepository::class); $clientModelRepository->shouldReceive('findActive') ->with(1) ->andReturn(new BridgeClientRepositoryHashedTestClientStub); $this->clientModelRepository = $clientModelRepository; - $this->hasher = $hasher; + $this->repository = new BridgeClientRepository($clientModelRepository); - $this->repository = new BridgeClientRepository($clientModelRepository, $hasher); } } -class BridgeClientRepositoryHashedTestClientStub +class BridgeClientRepositoryHashedTestClientStub extends BridgeClientRepositoryTestClientStub { - public $name = 'Client'; - - public $redirect = 'http://localhost'; - - public $secret = 'hashedsecret'; - - public $personal_access_client = false; - - public $password_client = false; - - public $grant_types; - - public function firstParty() - { - return $this->personal_access_client || $this->password_client; - } - - public function confidential() - { - return ! empty($this->secret); - } + public $secret = '$2y$10$ILY9x.zBwltszjoU21a21.naD6oeN5eMWd00l7P8OMrK5US3ZYeP2'; } diff --git a/tests/BridgeClientRepositoryTest.php b/tests/BridgeClientRepositoryTest.php index 9e4add185..b2435b9c2 100644 --- a/tests/BridgeClientRepositoryTest.php +++ b/tests/BridgeClientRepositoryTest.php @@ -2,7 +2,6 @@ namespace Laravel\Passport\Tests; -use Illuminate\Contracts\Hashing\Hasher; use Laravel\Passport\Bridge\Client; use Laravel\Passport\Bridge\ClientRepository as BridgeClientRepository; use Laravel\Passport\ClientRepository; @@ -31,16 +30,13 @@ protected function setUp(): void { Passport::$useHashedClientSecrets = false; - $hasher = m::mock(Hasher::class); - $clientModelRepository = m::mock(ClientRepository::class); $clientModelRepository->shouldReceive('findActive') ->with(1) ->andReturn(new BridgeClientRepositoryTestClientStub); $this->clientModelRepository = $clientModelRepository; - $this->hasher = $hasher; - $this->repository = new BridgeClientRepository($clientModelRepository, $hasher); + $this->repository = new BridgeClientRepository($clientModelRepository); } protected function tearDown(): void From 4d711419008fb71d4f398cc38fa1edb10d1ec3da Mon Sep 17 00:00:00 2001 From: Sebastiaan Luca Date: Mon, 23 Dec 2019 21:44:06 +0100 Subject: [PATCH 10/12] Format code --- tests/BridgeClientRepositoryHashedSecretsTest.php | 1 - 1 file changed, 1 deletion(-) diff --git a/tests/BridgeClientRepositoryHashedSecretsTest.php b/tests/BridgeClientRepositoryHashedSecretsTest.php index b74de0b41..4f58aa618 100644 --- a/tests/BridgeClientRepositoryHashedSecretsTest.php +++ b/tests/BridgeClientRepositoryHashedSecretsTest.php @@ -20,7 +20,6 @@ protected function setUp(): void $this->clientModelRepository = $clientModelRepository; $this->repository = new BridgeClientRepository($clientModelRepository); - } } From 6ab8f2670df981694bd66393b73828ec2bc4c5aa Mon Sep 17 00:00:00 2001 From: Sebastiaan Luca Date: Mon, 23 Dec 2019 21:44:42 +0100 Subject: [PATCH 11/12] Remove deprecated variable --- tests/BridgeClientRepositoryTest.php | 5 ----- 1 file changed, 5 deletions(-) diff --git a/tests/BridgeClientRepositoryTest.php b/tests/BridgeClientRepositoryTest.php index b2435b9c2..1f0868de6 100644 --- a/tests/BridgeClientRepositoryTest.php +++ b/tests/BridgeClientRepositoryTest.php @@ -16,11 +16,6 @@ class BridgeClientRepositoryTest extends TestCase */ protected $clientModelRepository; - /** - * @var \Illuminate\Contracts\Hashing\Hasher - */ - protected $hasher; - /** * @var \Laravel\Passport\Bridge\ClientRepository */ From 3c553e4c0a5da0cc90e144928f79f94c2aa518a0 Mon Sep 17 00:00:00 2001 From: Sebastiaan Luca Date: Thu, 26 Dec 2019 17:52:57 +0100 Subject: [PATCH 12/12] Use non-salted SHA-256 hashing to store client secrets --- src/Bridge/ClientRepository.php | 2 +- src/Client.php | 2 +- tests/BridgeClientRepositoryHashedSecretsTest.php | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/src/Bridge/ClientRepository.php b/src/Bridge/ClientRepository.php index 07b0bbfea..204e6e270 100644 --- a/src/Bridge/ClientRepository.php +++ b/src/Bridge/ClientRepository.php @@ -94,7 +94,7 @@ protected function handlesGrant($record, $grantType) protected function verifySecret($clientSecret, $storedHash) { if (Passport::$useHashedClientSecrets) { - return password_verify($clientSecret, $storedHash); + $clientSecret = hash('sha256', $clientSecret); } return hash_equals($storedHash, $clientSecret); diff --git a/src/Client.php b/src/Client.php index d50847725..024bb1e1c 100644 --- a/src/Client.php +++ b/src/Client.php @@ -107,7 +107,7 @@ public function setSecretAttribute($value) return; } - $this->attributes['secret'] = password_hash($value, CRYPT_SHA256); + $this->attributes['secret'] = hash('sha256', $value); } /** diff --git a/tests/BridgeClientRepositoryHashedSecretsTest.php b/tests/BridgeClientRepositoryHashedSecretsTest.php index 4f58aa618..f834c79da 100644 --- a/tests/BridgeClientRepositoryHashedSecretsTest.php +++ b/tests/BridgeClientRepositoryHashedSecretsTest.php @@ -25,5 +25,5 @@ protected function setUp(): void class BridgeClientRepositoryHashedTestClientStub extends BridgeClientRepositoryTestClientStub { - public $secret = '$2y$10$ILY9x.zBwltszjoU21a21.naD6oeN5eMWd00l7P8OMrK5US3ZYeP2'; + public $secret = '2bb80d537b1da3e38bd30361aa855686bde0eacd7162fef6a25fe97bf527a25b'; }