laravel / passport

Laravel Passport provides OAuth2 server support to Laravel.
https://laravel.com/docs/passport
MIT License
3.29k stars 780 forks source link

[11.x] Add support for `EncryptCookies` middleware #1628

Closed axlon closed 1 year ago

axlon commented 1 year ago

This PR adds a new option to Passport to not decrypt the JWT cookie when authenticating.

Currently when dealing with the JWT cookie Passport's behaviour is this:

Because of this, implementing a middleware similar to Sanctum's EnsureFrontendRequestsAreStateful is currently not possible, as it will cause the JWT token to be decrypted twice.

Note that this PR does not contain any breaking changes, Passport's current behaviour stays the default behaviour. This PR only adds the option to opt-out of this behaviour.

taylorotwell commented 1 year ago

@axlon I'm curious - how does Passport expect the EncryptCookies middleware to be inactive when reading the JWT cookie. How does it actually enforce that in the code?

axlon commented 1 year ago

@taylorotwell it reads the cookie when trying to authenticate through the token guard, when it does this it decrypts the cookie similarly to how EncryptCookies does (this implicitly relies on EncryptCookies not being active, because if it was the cookie would have already been decrypted and trying to decrypt it again would cause an error):

https://github.com/laravel/passport/blob/31ed56954f044ffd6dcef237d5087955376693ff/src/Guards/TokenGuard.php#L296-L302