[12.x] Use more secure key permissions - Githubissues

laravel / passport

Laravel Passport provides OAuth2 server support to Laravel.

https://laravel.com/docs/passport

MIT License

3.29k stars 780 forks source link

[12.x] Use more secure key permissions #1721

Closed axlon closed 9 months ago

axlon commented 9 months ago

Passport currently does not check filesystem permissions of the keys it uses, per https://github.com/laravel/passport/pull/454. Passport also doesn't set the correct permissions on the keys it creates.

This PR aims to have Passport use more secure permissions by default, whilst still allowing developers to opt out.

Passport will now:

Automatically use stricter permissions when creating keys through the passport:keys command
Check key permissions before using them
- This may be toggled off by setting Passport::$checkKeyPermissions to false
- This check is disabled on Windows, because it does not support this

hafezdivandari commented 8 months ago

The default behavior has been changed on this commit https://github.com/laravel/passport/commit/e063df36bef0f184f0f5ab5af8be8dd9d88b0651

Shouldn't we document this?