[13.x] Always hash client secret #1745
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
Thanks for submitting a PR! Note that draft PR's are not reviewed. If you would like a review, please mark your pull request as ready for review in the GitHub user interface. Pull requests that are abandoned in draft may be closed due to inactivity. |
driesvints
approved these changes
May 21, 2024
Member
driesvints
left a comment
driesvints
left a comment
There was a problem hiding this comment.
Think this will be a good one to have as a default and the upgrade path isn't too hard.
hettiger
added a commit
to hettiger/passport
that referenced
this pull request
Oct 10, 2025
…1745 ```php - if (Passport::$hashesClientSecrets) { - return ['plainSecret' => $client->plainSecret] + $client->toArray(); - } + $client->secret = $client->plainSecret; return $client->makeVisible('secret'); ``` This change obviously breaks usages that previously relied on the return type array with the additional 'plainSecret' data. E.g., the old Vue components used the plainSecret to present that to the user so that he could save it, etc. Since hashing is now mandatory, I restored the previous behavior without the now obsolete `Passport::$hashesClientSecrets` check: ```php return ['plainSecret' => $client->plainSecret] + $client->toArray(); ``` I also updated the tests. I know it looks a bit fishy but I had not much choice since it's a unit test … (didn't want to make too big of a change out of this … it's deprecated anyways …)
taylorotwell
pushed a commit
that referenced
this pull request
Oct 10, 2025
…al client via deprecated `ClientController::store` (#1861) * Fix ClientController::store() breaking change introduced via #1745 ```php - if (Passport::$hashesClientSecrets) { - return ['plainSecret' => $client->plainSecret] + $client->toArray(); - } + $client->secret = $client->plainSecret; return $client->makeVisible('secret'); ``` This change obviously breaks usages that previously relied on the return type array with the additional 'plainSecret' data. E.g., the old Vue components used the plainSecret to present that to the user so that he could save it, etc. Since hashing is now mandatory, I restored the previous behavior without the now obsolete `Passport::$hashesClientSecrets` check: ```php return ['plainSecret' => $client->plainSecret] + $client->toArray(); ``` I also updated the tests. I know it looks a bit fishy but I had not much choice since it's a unit test … (didn't want to make too big of a change out of this … it's deprecated anyways …) * append `plain_secret` * use `append` instead of `mergeAppend` to support L11.x --------- Co-authored-by: Martin Hettiger <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Clients' secret are now always hashed.
Changes
Hashfacade has been used to hash and check the values.Passport::$hashesClientSecretsproperty has been removed.Passport::hashClientSecrets()method has been removed.