search

laravel / passport

Laravel Passport provides OAuth2 server support to Laravel.
https://laravel.com/docs/passport
MIT License
3.29k stars 780 forks source link

Purge command using wrong query for expired tokens #1770

Closed ssanchez23 closed 4 months ago

ssanchez23 commented 4 months ago

Passport Version

12.2.0

Laravel Version

11.10

PHP Version

8.3.7

Database Driver & Version

MySQL 8.3.0

Description

When you use the command passport:purge to purge all the revoked and expired tokens, if you use the argument --hours; the tokens that expire the same day as today; are not going to expire until the next day.

The problem is in the PurgeCommand class, that the query for controlling the expired tokens, is using whereDate and orWhereDate; instead of where and orWhere. With this condition, the hours argument is not taken into account, so, tokens that expired one hour ago, are going to work all day, because, there is an another error, that the expired tokens, still work and are not revoked.

Apart from this version of the library, there is a Laravel 9.52.5, with Passport 11.8.4, PHP 8.1.16 and MySQL 5.7.11 with the same error.

Steps To Reproduce

  1. Create a token with a expires_at date of today.
  2. Change the date manually or wait until the token is expired.
  3. Use the passport:purge --hours=1 command to purge all revoked and expired tokens for more than 1 hour.
  4. Check that the revoked tokens are purged, but the expired token not.

Creating a scheduled task to execute this instead of the purge command, works:

$expired = Carbon::now();

Passport::token()->where('revoked', 1)->orWhere('expires_at', '<', $expired)->delete();
Passport::authCode()->where('revoked', 1)->orWhere('expires_at', '<', $expired)->delete();
Passport::refreshToken()->where('revoked', 1)->orWhere('expires_at', '<', $expired)->delete();

The queries are the same as the PurgeCommand class, lines 41-43. The change has to be done also in lines 55-57.

driesvints commented 4 months ago

Thank you for this report. We'd appreciate some help, probably through a PR to improve this one.

github-actions[bot] commented 4 months ago

Thank you for reporting this issue!

As Laravel is an open source project, we rely on the community to help us diagnose and fix issues as it is not possible to research and fix every issue reported to us via GitHub.

If possible, please make a pull request fixing the issue you have described, along with corresponding tests. All pull requests are promptly reviewed by the Laravel team.

Thank you!