Fix firebase/php jwt vuln

composer.json

@@ -16,7 +16,7 @@
     "require": {
         "php": "^8.0",
         "ext-json": "*",
-        "firebase/php-jwt": "^6.4",
+        "firebase/php-jwt": "^6.4|^7.0",
         "illuminate/auth": "^9.21|^10.0|^11.0|^12.0",
         "illuminate/console": "^9.21|^10.0|^11.0|^12.0",
         "illuminate/container": "^9.21|^10.0|^11.0|^12.0",

tests/Unit/ApiTokenCookieFactoryTest.php

@@ -28,7 +28,7 @@ public function test_cookie_can_be_successfully_created()
             'secure' => true,
             'same_site' => 'lax',
         ]);
-        $encrypter = new Encrypter(str_repeat('a', 16));
+        $encrypter = new Encrypter(str_repeat('a', 32), 'aes-256-cbc');
         $factory = new ApiTokenCookieFactory($config, $encrypter);
 
         $cookie = $factory->make(1, 'token');
@@ -50,7 +50,7 @@ public function test_cookie_can_be_successfully_created_when_using_a_custom_encr
             'secure' => true,
             'same_site' => 'lax',
         ]);
-        $encrypter = new Encrypter(str_repeat('a', 16));
+        $encrypter = new Encrypter(str_repeat('a', 32), 'aes-256-cbc');
         $factory = new ApiTokenCookieFactory($config, $encrypter);
 
         $cookie = $factory->make(1, 'token');

tests/Unit/TokenGuardTest.php

@@ -152,7 +152,7 @@ public function test_users_may_be_retrieved_from_cookies_with_csrf_token_header(
         $userProvider = m::mock(PassportUserProvider::class);
         $tokens = m::mock(TokenRepository::class);
         $clients = m::mock(ClientRepository::class);
-        $encrypter = new Encrypter(str_repeat('a', 16));
+        $encrypter = new Encrypter($key = str_repeat('a', 32), 'aes-256-cbc');
 
         $clients->shouldReceive('findActive')
             ->with(1)
@@ -166,7 +166,7 @@ public function test_users_may_be_retrieved_from_cookies_with_csrf_token_header(
                 'aud' => 1,
                 'csrf' => 'token',
                 'expiry' => Carbon::now()->addMinutes(10)->getTimestamp(),
-            ], str_repeat('a', 16), 'HS256'), false)
+            ], $key, 'HS256'), false)
         );
 
         $guard = new TokenGuard($resourceServer, $userProvider, $tokens, $clients, $encrypter, $request);
@@ -185,7 +185,7 @@ public function test_users_may_be_retrieved_from_cookies_with_xsrf_token_header(
         $userProvider = m::mock(PassportUserProvider::class);
         $tokens = m::mock(TokenRepository::class);
         $clients = m::mock(ClientRepository::class);
-        $encrypter = new Encrypter(str_repeat('a', 16));
+        $encrypter = new Encrypter($key = str_repeat('a', 32), 'aes-256-cbc');
 
         $clients->shouldReceive('findActive')
             ->with(1)
@@ -199,7 +199,7 @@ public function test_users_may_be_retrieved_from_cookies_with_xsrf_token_header(
                 'aud' => 1,
                 'csrf' => 'token',
                 'expiry' => Carbon::now()->addMinutes(10)->getTimestamp(),
-            ], str_repeat('a', 16), 'HS256'), false)
+            ], $key, 'HS256'), false)
         );
 
         $guard = new TokenGuard($resourceServer, $userProvider, $tokens, $clients, $encrypter, $request);
@@ -218,7 +218,7 @@ public function test_cookie_xsrf_is_verified_against_csrf_token_header()
         $userProvider = m::mock(PassportUserProvider::class);
         $tokens = m::mock(TokenRepository::class);
         $clients = m::mock(ClientRepository::class);
-        $encrypter = new Encrypter(str_repeat('a', 16));
+        $encrypter = new Encrypter($key = str_repeat('a', 32), 'aes-256-cbc');
 
         $request = Request::create('/');
         $request->headers->set('X-CSRF-TOKEN', 'wrong_token');
@@ -228,7 +228,7 @@ public function test_cookie_xsrf_is_verified_against_csrf_token_header()
                 'aud' => 1,
                 'csrf' => 'token',
                 'expiry' => Carbon::now()->addMinutes(10)->getTimestamp(),
-            ], str_repeat('a', 16), 'HS256'))
+            ], $key, 'HS256'))
         );
 
         $guard = new TokenGuard($resourceServer, $userProvider, $tokens, $clients, $encrypter, $request);
@@ -244,7 +244,7 @@ public function test_cookie_xsrf_is_verified_against_xsrf_token_header()
         $userProvider = m::mock(PassportUserProvider::class);
         $tokens = m::mock(TokenRepository::class);
         $clients = m::mock(ClientRepository::class);
-        $encrypter = new Encrypter(str_repeat('a', 16));
+        $encrypter = new Encrypter($key = str_repeat('a', 32), 'aes-256-cbc');
 
         $request = Request::create('/');
         $request->headers->set('X-XSRF-TOKEN', $encrypter->encrypt('wrong_token', false));
@@ -254,7 +254,7 @@ public function test_cookie_xsrf_is_verified_against_xsrf_token_header()
                 'aud' => 1,
                 'csrf' => 'token',
                 'expiry' => Carbon::now()->addMinutes(10)->getTimestamp(),
-            ], str_repeat('a', 16), 'HS256'))
+            ], $key, 'HS256'))
         );
 
         $guard = new TokenGuard($resourceServer, $userProvider, $tokens, $clients, $encrypter, $request);
@@ -274,7 +274,7 @@ public function test_users_may_be_retrieved_from_cookies_with_xsrf_token_header_
         $userProvider = m::mock(PassportUserProvider::class);
         $tokens = m::mock(TokenRepository::class);
         $clients = m::mock(ClientRepository::class);
-        $encrypter = new Encrypter(str_repeat('a', 16));
+        $encrypter = new Encrypter(str_repeat('a', 32), 'aes-256-cbc');
 
         $clients->shouldReceive('findActive')
             ->with(1)
@@ -315,7 +315,7 @@ public function test_users_may_be_retrieved_from_cookies_without_encryption()
         $userProvider = m::mock(PassportUserProvider::class);
         $tokens = m::mock(TokenRepository::class);
         $clients = m::mock(ClientRepository::class);
-        $encrypter = new Encrypter(str_repeat('a', 16));
+        $encrypter = new Encrypter(str_repeat('a', 32), 'aes-256-cbc');
 
         $clients->shouldReceive('findActive')
             ->with(1)
@@ -352,7 +352,7 @@ public function test_xsrf_token_cookie_without_a_token_header_is_not_accepted()
         $userProvider = m::mock(PassportUserProvider::class);
         $tokens = m::mock(TokenRepository::class);
         $clients = m::mock(ClientRepository::class);
-        $encrypter = new Encrypter(str_repeat('a', 16));
+        $encrypter = new Encrypter($key = str_repeat('a', 32), 'aes-256-cbc');
 
         $request = Request::create('/');
         $request->cookies->set('XSRF-TOKEN', $encrypter->encrypt('token', false));
@@ -362,7 +362,7 @@ public function test_xsrf_token_cookie_without_a_token_header_is_not_accepted()
                 'aud' => 1,
                 'csrf' => 'token',
                 'expiry' => Carbon::now()->addMinutes(10)->getTimestamp(),
-            ], str_repeat('a', 16), 'HS256'))
+            ], $key, 'HS256'))
         );
 
         $guard = new TokenGuard($resourceServer, $userProvider, $tokens, $clients, $encrypter, $request);
@@ -378,7 +378,7 @@ public function test_expired_cookies_may_not_be_used()
         $userProvider = m::mock(PassportUserProvider::class);
         $tokens = m::mock(TokenRepository::class);
         $clients = m::mock(ClientRepository::class);
-        $encrypter = new Encrypter(str_repeat('a', 16));
+        $encrypter = new Encrypter($key = str_repeat('a', 32), 'aes-256-cbc');
 
         $request = Request::create('/');
         $request->headers->set('X-CSRF-TOKEN', 'token');
@@ -388,7 +388,7 @@ public function test_expired_cookies_may_not_be_used()
                 'aud' => 1,
                 'csrf' => 'token',
                 'expiry' => Carbon::now()->subMinutes(10)->getTimestamp(),
-            ], str_repeat('a', 16), 'HS256'))
+            ], $key, 'HS256'))
         );
 
         $guard = new TokenGuard($resourceServer, $userProvider, $tokens, $clients, $encrypter, $request);
@@ -404,7 +404,7 @@ public function test_csrf_check_can_be_disabled()
         $userProvider = m::mock(PassportUserProvider::class);
         $tokens = m::mock(TokenRepository::class);
         $clients = m::mock(ClientRepository::class);
-        $encrypter = new Encrypter(str_repeat('a', 16));
+        $encrypter = new Encrypter($key = str_repeat('a', 32), 'aes-256-cbc');
 
         $clients->shouldReceive('findActive')
             ->with(1)
@@ -418,7 +418,7 @@ public function test_csrf_check_can_be_disabled()
                 'sub' => 1,
                 'aud' => 1,
                 'expiry' => Carbon::now()->addMinutes(10)->getTimestamp(),
-            ], str_repeat('a', 16), 'HS256'), false)
+            ], $key, 'HS256'), false)
         );
 
         $guard = new TokenGuard($resourceServer, $userProvider, $tokens, $clients, $encrypter, $request);
@@ -534,7 +534,7 @@ public function test_clients_may_be_retrieved_from_cookies()
         $userProvider = m::mock(PassportUserProvider::class);
         $tokens = m::mock(TokenRepository::class);
         $clients = m::mock(ClientRepository::class);
-        $encrypter = new Encrypter(str_repeat('a', 16));
+        $encrypter = new Encrypter($key = str_repeat('a', 32), 'aes-256-cbc');
 
         $request = Request::create('/');
         $request->headers->set('X-CSRF-TOKEN', 'token');
@@ -544,7 +544,7 @@ public function test_clients_may_be_retrieved_from_cookies()
                 'aud' => 1,
                 'csrf' => 'token',
                 'expiry' => Carbon::now()->addMinutes(10)->getTimestamp(),
-            ], str_repeat('a', 16), 'HS256'), false)
+            ], $key, 'HS256'), false)
         );
 
         $guard = new TokenGuard($resourceServer, $userProvider, $tokens, $clients, $encrypter, $request);