Release 7.20.0 (#482)

* Release 7.20.0

Author: kishore7snehil

.version

@@ -1 +1 @@
-7.19.0
+7.20.0

CHANGELOG.md

@@ -1,5 +1,12 @@
 # Change Log
 
+## [7.20.0](https://github.com/auth0/laravel-auth0/tree/7.20.0) (2025-12-16)
+[Full Changelog](https://github.com/auth0/laravel-auth0/compare/7.19.0...7.20.0)
+
+**Fixed**
+
+- Security fix: Resolve CVE-2025-68129
+
 ## [7.19.0](https://github.com/auth0/laravel-auth0/tree/7.19.0) (2025-10-01)
 
 [Full Changelog](https://github.com/auth0/laravel-auth0/compare/7.18.0...7.19.0)

src/ServiceAbstract.php

@@ -22,7 +22,7 @@ abstract class ServiceAbstract extends InstanceEntityAbstract
      *
      * @var string
      */
-    public const VERSION = '7.19.0';
+    public const VERSION = '7.20.0';
 
     /**
      * Decode a PSR-7 HTTP Response Message containing a JSON content body to a PHP array. Returns null if the response was not successful, or the response body was not JSON.

tests/Unit/Middleware/AuthorizeMiddlewareTest.php

@@ -13,16 +13,28 @@
 
 beforeEach(function (): void {
     $this->secret = uniqid();
+    $this->domain = uniqid() . '.auth0.com';
+    $this->clientId = uniqid();
+    $this->audience = [uniqid()];
+    $this->cookieSecret = uniqid();
 
     config([
         'auth0.AUTH0_CONFIG_VERSION' => 2,
         'auth0.guards.default.strategy' => SdkConfiguration::STRATEGY_API,
-        'auth0.guards.default.domain' => uniqid() . '.auth0.com',
-        'auth0.guards.default.clientId' => uniqid(),
-        'auth0.guards.default.audience' => [uniqid()],
+        'auth0.guards.default.domain' => $this->domain,
+        'auth0.guards.default.clientId' => $this->clientId,
+        'auth0.guards.default.audience' => $this->audience,
         'auth0.guards.default.clientSecret' => $this->secret,
-        'auth0.guards.default.cookieSecret' => uniqid(),
+        'auth0.guards.default.cookieSecret' => $this->cookieSecret,
         'auth0.guards.default.tokenAlgorithm' => Token::ALGO_HS256,
+        // Also configure 'web' since legacyGuard uses configuration => 'web'
+        'auth0.guards.web.strategy' => SdkConfiguration::STRATEGY_API,
+        'auth0.guards.web.domain' => $this->domain,
+        'auth0.guards.web.clientId' => $this->clientId,
+        'auth0.guards.web.audience' => $this->audience,
+        'auth0.guards.web.clientSecret' => $this->secret,
+        'auth0.guards.web.cookieSecret' => $this->cookieSecret,
+        'auth0.guards.web.tokenAlgorithm' => Token::ALGO_HS256,
     ]);
 
     $this->laravel = app('auth0');
@@ -74,11 +86,10 @@
     $token = Generator::create($this->secret, Token::ALGO_HS256, [
         "iss" => 'https://' . config('auth0.guards.default.domain') . '/',
         "sub" => "auth0|123456",
-        "aud" => [
-          "https://example.com/health-api",
-          "https://my-domain.auth0.com/userinfo",
-          config('auth0.guards.default.clientId')
-        ],
+        "aud" => array_merge(
+          $this->audience,
+          [config('auth0.guards.default.clientId')]
+        ),
         "azp" => config('auth0.guards.default.clientId'),
         "exp" => time() + 60,
         "iat" => time(),
@@ -103,11 +114,10 @@
     $token = Generator::create($this->secret, Token::ALGO_HS256, [
         "iss" => 'https://' . config('auth0.guards.default.domain') . '/',
         "sub" => "auth0|123456",
-        "aud" => [
-          "https://example.com/health-api",
-          "https://my-domain.auth0.com/userinfo",
-          config('auth0.guards.default.clientId')
-        ],
+        "aud" => array_merge(
+          $this->audience,
+          [config('auth0.guards.default.clientId')]
+        ),
         "azp" => config('auth0.guards.default.clientId'),
         "exp" => time() + 60,
         "iat" => time(),
@@ -132,11 +142,10 @@
     $token = Generator::create($this->secret, Token::ALGO_HS256, [
         "iss" => 'https://' . config('auth0.guards.default.domain') . '/',
         "sub" => "auth0|123456",
-        "aud" => [
-          "https://example.com/health-api",
-          "https://my-domain.auth0.com/userinfo",
-          config('auth0.guards.default.clientId')
-        ],
+        "aud" => array_merge(
+          $this->audience,
+          [config('auth0.guards.default.clientId')]
+        ),
         "azp" => config('auth0.guards.default.clientId'),
         "exp" => time() + 60,
         "iat" => time(),

tests/Unit/Middleware/AuthorizeOptionalMiddlewareTest.php

@@ -13,16 +13,28 @@
 
 beforeEach(function (): void {
     $this->secret = uniqid();
+    $this->domain = uniqid() . '.auth0.com';
+    $this->clientId = uniqid();
+    $this->audience = [uniqid()];
+    $this->cookieSecret = uniqid();
 
     config([
         'auth0.AUTH0_CONFIG_VERSION' => 2,
         'auth0.guards.default.strategy' => SdkConfiguration::STRATEGY_API,
-        'auth0.guards.default.domain' => uniqid() . '.auth0.com',
-        'auth0.guards.default.clientId' => uniqid(),
-        'auth0.guards.default.audience' => [uniqid()],
+        'auth0.guards.default.domain' => $this->domain,
+        'auth0.guards.default.clientId' => $this->clientId,
+        'auth0.guards.default.audience' => $this->audience,
         'auth0.guards.default.clientSecret' => $this->secret,
-        'auth0.guards.default.cookieSecret' => uniqid(),
+        'auth0.guards.default.cookieSecret' => $this->cookieSecret,
         'auth0.guards.default.tokenAlgorithm' => Token::ALGO_HS256,
+        // Also configure 'web' since legacyGuard uses configuration => 'web'
+        'auth0.guards.web.strategy' => SdkConfiguration::STRATEGY_API,
+        'auth0.guards.web.domain' => $this->domain,
+        'auth0.guards.web.clientId' => $this->clientId,
+        'auth0.guards.web.audience' => $this->audience,
+        'auth0.guards.web.clientSecret' => $this->secret,
+        'auth0.guards.web.cookieSecret' => $this->cookieSecret,
+        'auth0.guards.web.tokenAlgorithm' => Token::ALGO_HS256,
     ]);
 
     $this->laravel = app('auth0');
@@ -55,11 +67,10 @@
     $token = Generator::create($this->secret, Token::ALGO_HS256, [
         "iss" => 'https://' . config('auth0.guards.default.domain') . '/',
         "sub" => "auth0|123456",
-        "aud" => [
-          "https://example.com/health-api",
-          "https://my-domain.auth0.com/userinfo",
-          config('auth0.guards.default.clientId')
-        ],
+        "aud" => array_merge(
+          $this->audience,
+          [config('auth0.guards.default.clientId')]
+        ),
         "azp" => config('auth0.guards.default.clientId'),
         "exp" => time() + 60,
         "iat" => time(),
@@ -84,11 +95,10 @@
     $token = Generator::create($this->secret, Token::ALGO_HS256, [
         "iss" => 'https://' . config('auth0.guards.default.domain') . '/',
         "sub" => "auth0|123456",
-        "aud" => [
-          "https://example.com/health-api",
-          "https://my-domain.auth0.com/userinfo",
-          config('auth0.guards.default.clientId')
-        ],
+        "aud" => array_merge(
+          $this->audience,
+          [config('auth0.guards.default.clientId')]
+        ),
         "azp" => config('auth0.guards.default.clientId'),
         "exp" => time() + 60,
         "iat" => time(),
@@ -113,11 +123,10 @@
     $token = Generator::create($this->secret, Token::ALGO_HS256, [
         "iss" => 'https://' . config('auth0.guards.default.domain') . '/',
         "sub" => "auth0|123456",
-        "aud" => [
-          "https://example.com/health-api",
-          "https://my-domain.auth0.com/userinfo",
-          config('auth0.guards.default.clientId')
-        ],
+        "aud" => array_merge(
+          $this->audience,
+          [config('auth0.guards.default.clientId')]
+        ),
         "azp" => config('auth0.guards.default.clientId'),
         "exp" => time() + 60,
         "iat" => time(),