Skip to content

Commit 1d2e017

Browse files
jszojaJan Szoja
jszoja
and
Jan Szoja
authored
Fix firebase/php jwt vuln (#1889)
* Composer and first test fixes port from 13.x * Last test file fixes porting --------- Co-authored-by: Jan Szoja <jszoja@titanhq.com>
1 parent 89d2594 commit 1d2e017

File tree

3 files changed

+21
-21
lines changed

3 files changed

+21
-21
lines changed

composer.json

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -16,7 +16,7 @@
1616
"require": {
1717
"php": "^8.0",
1818
"ext-json": "*",
19-
"firebase/php-jwt": "^6.4",
19+
"firebase/php-jwt": "^6.4|^7.0",
2020
"illuminate/auth": "^9.21|^10.0|^11.0|^12.0",
2121
"illuminate/console": "^9.21|^10.0|^11.0|^12.0",
2222
"illuminate/container": "^9.21|^10.0|^11.0|^12.0",

tests/Unit/ApiTokenCookieFactoryTest.php

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -28,7 +28,7 @@ public function test_cookie_can_be_successfully_created()
2828
'secure' => true,
2929
'same_site' => 'lax',
3030
]);
31-
$encrypter = new Encrypter(str_repeat('a', 16));
31+
$encrypter = new Encrypter(str_repeat('a', 32), 'aes-256-cbc');
3232
$factory = new ApiTokenCookieFactory($config, $encrypter);
3333

3434
$cookie = $factory->make(1, 'token');
@@ -50,7 +50,7 @@ public function test_cookie_can_be_successfully_created_when_using_a_custom_encr
5050
'secure' => true,
5151
'same_site' => 'lax',
5252
]);
53-
$encrypter = new Encrypter(str_repeat('a', 16));
53+
$encrypter = new Encrypter(str_repeat('a', 32), 'aes-256-cbc');
5454
$factory = new ApiTokenCookieFactory($config, $encrypter);
5555

5656
$cookie = $factory->make(1, 'token');

tests/Unit/TokenGuardTest.php

Lines changed: 18 additions & 18 deletions
Original file line numberDiff line numberDiff line change
@@ -152,7 +152,7 @@ public function test_users_may_be_retrieved_from_cookies_with_csrf_token_header(
152152
$userProvider = m::mock(PassportUserProvider::class);
153153
$tokens = m::mock(TokenRepository::class);
154154
$clients = m::mock(ClientRepository::class);
155-
$encrypter = new Encrypter(str_repeat('a', 16));
155+
$encrypter = new Encrypter($key = str_repeat('a', 32), 'aes-256-cbc');
156156

157157
$clients->shouldReceive('findActive')
158158
->with(1)
@@ -166,7 +166,7 @@ public function test_users_may_be_retrieved_from_cookies_with_csrf_token_header(
166166
'aud' => 1,
167167
'csrf' => 'token',
168168
'expiry' => Carbon::now()->addMinutes(10)->getTimestamp(),
169-
], str_repeat('a', 16), 'HS256'), false)
169+
], $key, 'HS256'), false)
170170
);
171171

172172
$guard = new TokenGuard($resourceServer, $userProvider, $tokens, $clients, $encrypter, $request);
@@ -185,7 +185,7 @@ public function test_users_may_be_retrieved_from_cookies_with_xsrf_token_header(
185185
$userProvider = m::mock(PassportUserProvider::class);
186186
$tokens = m::mock(TokenRepository::class);
187187
$clients = m::mock(ClientRepository::class);
188-
$encrypter = new Encrypter(str_repeat('a', 16));
188+
$encrypter = new Encrypter($key = str_repeat('a', 32), 'aes-256-cbc');
189189

190190
$clients->shouldReceive('findActive')
191191
->with(1)
@@ -199,7 +199,7 @@ public function test_users_may_be_retrieved_from_cookies_with_xsrf_token_header(
199199
'aud' => 1,
200200
'csrf' => 'token',
201201
'expiry' => Carbon::now()->addMinutes(10)->getTimestamp(),
202-
], str_repeat('a', 16), 'HS256'), false)
202+
], $key, 'HS256'), false)
203203
);
204204

205205
$guard = new TokenGuard($resourceServer, $userProvider, $tokens, $clients, $encrypter, $request);
@@ -218,7 +218,7 @@ public function test_cookie_xsrf_is_verified_against_csrf_token_header()
218218
$userProvider = m::mock(PassportUserProvider::class);
219219
$tokens = m::mock(TokenRepository::class);
220220
$clients = m::mock(ClientRepository::class);
221-
$encrypter = new Encrypter(str_repeat('a', 16));
221+
$encrypter = new Encrypter($key = str_repeat('a', 32), 'aes-256-cbc');
222222

223223
$request = Request::create('/');
224224
$request->headers->set('X-CSRF-TOKEN', 'wrong_token');
@@ -228,7 +228,7 @@ public function test_cookie_xsrf_is_verified_against_csrf_token_header()
228228
'aud' => 1,
229229
'csrf' => 'token',
230230
'expiry' => Carbon::now()->addMinutes(10)->getTimestamp(),
231-
], str_repeat('a', 16), 'HS256'))
231+
], $key, 'HS256'))
232232
);
233233

234234
$guard = new TokenGuard($resourceServer, $userProvider, $tokens, $clients, $encrypter, $request);
@@ -244,7 +244,7 @@ public function test_cookie_xsrf_is_verified_against_xsrf_token_header()
244244
$userProvider = m::mock(PassportUserProvider::class);
245245
$tokens = m::mock(TokenRepository::class);
246246
$clients = m::mock(ClientRepository::class);
247-
$encrypter = new Encrypter(str_repeat('a', 16));
247+
$encrypter = new Encrypter($key = str_repeat('a', 32), 'aes-256-cbc');
248248

249249
$request = Request::create('/');
250250
$request->headers->set('X-XSRF-TOKEN', $encrypter->encrypt('wrong_token', false));
@@ -254,7 +254,7 @@ public function test_cookie_xsrf_is_verified_against_xsrf_token_header()
254254
'aud' => 1,
255255
'csrf' => 'token',
256256
'expiry' => Carbon::now()->addMinutes(10)->getTimestamp(),
257-
], str_repeat('a', 16), 'HS256'))
257+
], $key, 'HS256'))
258258
);
259259

260260
$guard = new TokenGuard($resourceServer, $userProvider, $tokens, $clients, $encrypter, $request);
@@ -274,7 +274,7 @@ public function test_users_may_be_retrieved_from_cookies_with_xsrf_token_header_
274274
$userProvider = m::mock(PassportUserProvider::class);
275275
$tokens = m::mock(TokenRepository::class);
276276
$clients = m::mock(ClientRepository::class);
277-
$encrypter = new Encrypter(str_repeat('a', 16));
277+
$encrypter = new Encrypter(str_repeat('a', 32), 'aes-256-cbc');
278278

279279
$clients->shouldReceive('findActive')
280280
->with(1)
@@ -315,7 +315,7 @@ public function test_users_may_be_retrieved_from_cookies_without_encryption()
315315
$userProvider = m::mock(PassportUserProvider::class);
316316
$tokens = m::mock(TokenRepository::class);
317317
$clients = m::mock(ClientRepository::class);
318-
$encrypter = new Encrypter(str_repeat('a', 16));
318+
$encrypter = new Encrypter(str_repeat('a', 32), 'aes-256-cbc');
319319

320320
$clients->shouldReceive('findActive')
321321
->with(1)
@@ -352,7 +352,7 @@ public function test_xsrf_token_cookie_without_a_token_header_is_not_accepted()
352352
$userProvider = m::mock(PassportUserProvider::class);
353353
$tokens = m::mock(TokenRepository::class);
354354
$clients = m::mock(ClientRepository::class);
355-
$encrypter = new Encrypter(str_repeat('a', 16));
355+
$encrypter = new Encrypter($key = str_repeat('a', 32), 'aes-256-cbc');
356356

357357
$request = Request::create('/');
358358
$request->cookies->set('XSRF-TOKEN', $encrypter->encrypt('token', false));
@@ -362,7 +362,7 @@ public function test_xsrf_token_cookie_without_a_token_header_is_not_accepted()
362362
'aud' => 1,
363363
'csrf' => 'token',
364364
'expiry' => Carbon::now()->addMinutes(10)->getTimestamp(),
365-
], str_repeat('a', 16), 'HS256'))
365+
], $key, 'HS256'))
366366
);
367367

368368
$guard = new TokenGuard($resourceServer, $userProvider, $tokens, $clients, $encrypter, $request);
@@ -378,7 +378,7 @@ public function test_expired_cookies_may_not_be_used()
378378
$userProvider = m::mock(PassportUserProvider::class);
379379
$tokens = m::mock(TokenRepository::class);
380380
$clients = m::mock(ClientRepository::class);
381-
$encrypter = new Encrypter(str_repeat('a', 16));
381+
$encrypter = new Encrypter($key = str_repeat('a', 32), 'aes-256-cbc');
382382

383383
$request = Request::create('/');
384384
$request->headers->set('X-CSRF-TOKEN', 'token');
@@ -388,7 +388,7 @@ public function test_expired_cookies_may_not_be_used()
388388
'aud' => 1,
389389
'csrf' => 'token',
390390
'expiry' => Carbon::now()->subMinutes(10)->getTimestamp(),
391-
], str_repeat('a', 16), 'HS256'))
391+
], $key, 'HS256'))
392392
);
393393

394394
$guard = new TokenGuard($resourceServer, $userProvider, $tokens, $clients, $encrypter, $request);
@@ -404,7 +404,7 @@ public function test_csrf_check_can_be_disabled()
404404
$userProvider = m::mock(PassportUserProvider::class);
405405
$tokens = m::mock(TokenRepository::class);
406406
$clients = m::mock(ClientRepository::class);
407-
$encrypter = new Encrypter(str_repeat('a', 16));
407+
$encrypter = new Encrypter($key = str_repeat('a', 32), 'aes-256-cbc');
408408

409409
$clients->shouldReceive('findActive')
410410
->with(1)
@@ -418,7 +418,7 @@ public function test_csrf_check_can_be_disabled()
418418
'sub' => 1,
419419
'aud' => 1,
420420
'expiry' => Carbon::now()->addMinutes(10)->getTimestamp(),
421-
], str_repeat('a', 16), 'HS256'), false)
421+
], $key, 'HS256'), false)
422422
);
423423

424424
$guard = new TokenGuard($resourceServer, $userProvider, $tokens, $clients, $encrypter, $request);
@@ -534,7 +534,7 @@ public function test_clients_may_be_retrieved_from_cookies()
534534
$userProvider = m::mock(PassportUserProvider::class);
535535
$tokens = m::mock(TokenRepository::class);
536536
$clients = m::mock(ClientRepository::class);
537-
$encrypter = new Encrypter(str_repeat('a', 16));
537+
$encrypter = new Encrypter($key = str_repeat('a', 32), 'aes-256-cbc');
538538

539539
$request = Request::create('/');
540540
$request->headers->set('X-CSRF-TOKEN', 'token');
@@ -544,7 +544,7 @@ public function test_clients_may_be_retrieved_from_cookies()
544544
'aud' => 1,
545545
'csrf' => 'token',
546546
'expiry' => Carbon::now()->addMinutes(10)->getTimestamp(),
547-
], str_repeat('a', 16), 'HS256'), false)
547+
], $key, 'HS256'), false)
548548
);
549549

550550
$guard = new TokenGuard($resourceServer, $userProvider, $tokens, $clients, $encrypter, $request);

0 commit comments

Comments
 (0)