search

thephpleague / oauth2-server

A spec compliant, secure by default PHP OAuth 2.0 Server
https://oauth2.thephpleague.com
MIT License
6.49k stars 1.12k forks source link

Issue with authorization code flow: Authorization code has expired #1311

Closed MykolaiKorniat closed 1 year ago

MykolaiKorniat commented 1 year ago

I found a bug during the last switching from summer to winter time: DateTime::add() adds wrong interval when switching from summer to winter time

DateTimeImmutable::add() calculate wrong "expire_time" and issue already expired code.

Problem is fixed in PHP 8.1, but it's still actual for PHP =< 8.0.

How about editing the timestamp directly instead of using a DateTimeImmutable?

Sephster commented 1 year ago

oh wow. Nice find. I had no idea this was an issue.

I'm leaning towards not changing this because we'd need a new major release anyways, it has been fixed in 8.1, and active support for 8.0 is ending in 11 days anyways.

That coupled with the fact that this bug manifests itself in a small time window makes me think it isn't worth the effort. Would appreciate your thoughts on this though.

I've reached out on Twitter to see if a patch will be issued for earlier versions but might not get a reply.

Sephster commented 1 year ago

Just got a reply that this won't be backported to earlier versions so the issue is here to stay