[13.x] Use the `oauth_scopes` property of the bearer token on `TokenGuard` #1755

hafezdivandari · 2024-06-17T02:07:27Z

Fixes #382

As discussed here, this PR fixes a long-standing issue #382.

The TokenGuard authenticates the user via bearer token and assigns this token to the authenticated user. This will be useful when the developer wants to check if the token has a given scope using the tokenCan method on the authenticated App\Models\User instance:

$request->user()->tokenCan('place-orders')

The problem is that the TokenGuard guard (and also CheckClientCredentials middleware) unnecessarily query the DB to find the token's record and retrieve its scopes, but we have already decoded the token and we can simply use the oauth_scopes property instead.

This PR fixes the issue by separating the logic into new Passport\AccessToken class from the Passport\Token model, so we don't need to query the DB to find the token. This can be considered as performance optimization and also a security fix!

Upgrade Guide

There shouldn't be any breaking change here, the user()->tokenCan() is the only documented functionality and works like before. The user()->token() returns TransientToken if the user is authenticated via the cookie just like before, but now returns Passport\AccessToken instance instead of Passport\Token instance when the user is authenticated via bearer token, but to avoid any breaking change, this class dynamically forwards method calls to Passport\Token.

github-actions · 2024-06-17T02:07:40Z

Thanks for submitting a PR!

Note that draft PR's are not reviewed. If you would like a review, please mark your pull request as ready for review in the GitHub user interface.

Pull requests that are abandoned in draft may be closed due to inactivity.

taylorotwell · 2024-06-19T21:28:00Z

Is it not possible for the scopes to be manipulated by the user if we are using the scopes present on the request attributes?

hafezdivandari · 2024-06-19T22:54:51Z

@taylorotwell the oauth_scopes are not on the request attributes, but encrypted inside the bearer token. We should only trust the values on the signed / enceypted token itself, the user has authorized this client with these scopes. On the token guard, we decode the token and use oauth_access_token_id to determine if the token exists and not revoked, oauth_user_id to find the user, oauth_client_id to find the client and we should use oauth_scopes to determine the authorized scopes too.

add a new AccessToken class

b241eac

hafezdivandari changed the title ~~[13.x] Add a new AccessToken class~~ [13.x] Use the ouath_scopes property of the access token on TokenGuard and CheckClientCredentials middleware Jun 17, 2024

hafezdivandari changed the title ~~[13.x] Use the ouath_scopes property of the access token on TokenGuard and CheckClientCredentials middleware~~ [13.x] Use the oauth_scopes property of the bearer token on TokenGuard Jun 17, 2024

update upgrade guide

fec57b0

hafezdivandari marked this pull request as ready for review June 17, 2024 14:26

formatting

0a0e0cd

taylorotwell merged commit 22b3861 into laravel:13.x Jun 20, 2024
9 checks passed

hafezdivandari deleted the 13.x-new-access-token branch June 20, 2024 15:17

hafezdivandari mentioned this pull request Feb 19, 2025

[12.x] Passport 13.x laravel/docs#9819

Merged

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

[13.x] Use the `oauth_scopes` property of the bearer token on `TokenGuard` #1755

[13.x] Use the `oauth 8000 _scopes` property of the bearer token on `TokenGuard` #1755

[13.x] Use the oauth_scopes property of the bearer token on TokenGuard #1755

[13.x] Use the oauth 8000 _scopes property of the bearer token on TokenGuard #1755

Conversation

Upgrade Guide

[13.x] Use the `oauth_scopes` property of the bearer token on `TokenGuard` #1755

[13.x] Use the `oauth 8000 _scopes` property of the bearer token on `TokenGuard` #1755