From e46ebc5f58e45bb865e4a3fb6037b03f7836ffc8 Mon Sep 17 00:00:00 2001
From: Dries Vints <dries@vints.io>
Date: Fri, 8 May 2020 13:50:30 +0200
Subject: [PATCH] Implement personal access client config

---
 UPGRADE.md                         | 16 ++++++++++++++++
 config/passport.php                | 16 ++++++++++++++++
 src/Passport.php                   | 24 ++++++++++++++++++++++--
 src/PersonalAccessTokenFactory.php |  4 +++-
 4 files changed, 57 insertions(+), 3 deletions(-)

diff --git a/UPGRADE.md b/UPGRADE.md
index 63e955571..57a989bec 100644
--- a/UPGRADE.md
+++ b/UPGRADE.md
@@ -18,6 +18,22 @@ PR: https://github.com/laravel/passport/pull/1145
 
 Client secrets may now be stored using a Bcrypt hash. However, before enabling this functionality, please consider the following. First, there is no way to reverse the hashing process once you have migrated your existing tokens. Secondly, when hashing client secrets, you will only have one opportunity to display the plain-text value to the user before it is hashed and stored in the database.
 
+#### Personal Access Client
+
+Before you continue, there's a special case for personal access clients. You should set your personal access client ID and unhashed secret in your `.env` file:
+
+    PASSPORT_PERSONAL_ACCESS_CLIENT_ID=
+    PASSPORT_PERSONAL_ACCESS_CLIENT_SECRET=
+
+After this, you should set register them with the `Passport` instance by playing the following calls within the `boot` method of your `AppServiceProvider`:
+
+    Passport::personalAccessClientId(config('passport.personal_access_token.id'));
+    Passport::personalAccessClientSecret(config('passport.personal_access_token.secret'));
+
+Make sure to do this before hashing your secrets using the step below, otherwise they'll be lost forever.
+
+#### Hashing Existing Secrets
+
 You may enable client secret hashing by calling the `Passport::hashClientSecrets()` method within the `boot` method of your `AppServiceProvider`. For convenience, we've included a new Artisan command which you can run to hash all existing client secrets:
 
     php artisan passport:hash
diff --git a/config/passport.php b/config/passport.php
index 95a48923d..b07bdbcad 100644
--- a/config/passport.php
+++ b/config/passport.php
@@ -30,4 +30,20 @@
 
     'client_uuids' => false,
 
+    /*
+    |--------------------------------------------------------------------------
+    | Personal Access Client
+    |--------------------------------------------------------------------------
+    |
+    | If you enable client hashing, you should set the personal access
+    | client id and secret in your config file. This way they will be
+    | used when you issue access tokens to your users.
+    |
+    */
+
+    'personal_access_client' => [
+        'id' => env('PASSPORT_PERSONAL_ACCESS_CLIENT_ID'),
+        'secret' => env('PASSPORT_PERSONAL_ACCESS_CLIENT_SECRET'),
+    ],
+
 ];
diff --git a/src/Passport.php b/src/Passport.php
index a7f08282f..ea347ec2b 100644
--- a/src/Passport.php
+++ b/src/Passport.php
@@ -22,10 +22,17 @@ class Passport
     /**
      * The personal access token client ID.
      *
-     * @var int
+     * @var int|string
      */
     public static $personalAccessClientId;
 
+    /**
+     * The personal access token client secret.
+     *
+     * @var string
+     */
+    public static $personalAccessClientSecret;
+
     /**
      * The default scope.
      *
@@ -192,7 +199,7 @@ public static function routes($callback = null, array $options = [])
     /**
      * Set the client ID that should be used to issue personal access tokens.
      *
-     * @param  int  $clientId
+     * @param  int|string  $clientId
      * @return static
      */
     public static function personalAccessClientId($clientId)
@@ -202,6 +209,19 @@ public static function personalAccessClientId($clientId)
         return new static;
     }
 
+    /**
+     * Set the client secret that should be used to issue personal access tokens.
+     *
+     * @param  string  $clientSecret
+     * @return static
+     */
+    public static function personalAccessClientSecret($clientSecret)
+    {
+        static::$personalAccessClientSecret = $clientSecret;
+
+        return new static;
+    }
+
     /**
      * Set the default scope(s). Multiple scopes may be an array or specified delimited by spaces.
      *
diff --git a/src/PersonalAccessTokenFactory.php b/src/PersonalAccessTokenFactory.php
index 2ab665c6b..27c558d79 100644
--- a/src/PersonalAccessTokenFactory.php
+++ b/src/PersonalAccessTokenFactory.php
@@ -93,10 +93,12 @@ public function make($userId, $name, array $scopes = [])
      */
     protected function createRequest($client, $userId, array $scopes)
     {
+        $secret = Passport::$hashesClientSecrets ? Passport::$personalAccessClientSecret : $client->secret;
+
         return (new ServerRequest)->withParsedBody([
             'grant_type' => 'personal_access',
             'client_id' => $client->id,
-            'client_secret' => $client->secret,
+            'client_secret' => $secret,
             'user_id' => $userId,
             'scope' => implode(' ', $scopes),
         ]);