If a key string is provided to the CryptKey constructor with an invalid
passphrase, the LogicException message generated will contain the given key.
The key is no longer leaked via this exception (PR #1359)
You can now set a leeway for time drift between servers when validating a JWT (PR #1304)
Security
Access token requests that contain a code_verifier but are not bound to a code_challenge will be rejected to prevent
a PKCE downgrade attack (PR #1326)
8.3.6
Fixed
Use LooseValidAt instead of StrictValidAt so that users aren't forced to use claims such as NBF in their JWT tokens (PR #1312)
8.3.5
Fixed
Use InMemory::plainText('empty', 'empty') instead of InMemory::plainText('') to avoid new empty string exception thrown by lcobucci/jwt (PR #1282)
8.3.4
Fixed
Server previously rejected valid uris with custom schemes. Now use league/uri for parsing to accept all valid uris (PR #1274)
If a key string is provided to the CryptKey constructor with an invalid
passphrase, the LogicException message generated will contain the given key.
The key is no longer leaked via this exception (PR #1359)
You can now set a leeway for time drift between servers when validating a JWT (PR #1304)
Security
Access token requests that contain a code_verifier but are not bound to a code_challenge will be rejected to prevent
a PKCE downgrade attack (PR #1326)
[8.3.6] - released 2022-11-14
Fixed
Use LooseValidAt instead of StrictValidAt so that users aren't forced to use claims such as NBF in their JWT tokens (PR #1312)
[8.3.5] - released 2022-05-12
Fixed
Use InMemory::plainText('empty', 'empty') instead of InMemory::plainText('') to avoid new empty string exception thrown by lcobucci/jwt (PR #1282)
[8.3.4] - released 2022-04-07
Fixed
Server previously rejected valid uris with custom schemes. Now use league/uri for parsing to accept all valid uris (PR #1274)
Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.
Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
- `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/csrdelft/csrdelft.nl/network/alerts).
Bumps league/oauth2-server from 8.3.3 to 8.4.2.
Release notes
Sourced from league/oauth2-server's releases.
Changelog
Sourced from league/oauth2-server's changelog.
Commits
007dc5fUpdate changlogcb9ae79Merge pull request #1359 from jeffhuys/fix-snyk-vulnerability5aba3dfRemove potential key from exception message86e4159Update changelogeed31d8Update changelog for version 8.4.18c3ba48Merge pull request #1329 from thephpleague/fix-deprecation-notices-php-8f4b65ecUpdate changelogec7d98aFix styleci issuesce7e35fmerge remoteac02716Add ReturnTypeWillChange to jsonSerialize()Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/csrdelft/csrdelft.nl/network/alerts).