Merge branch '10.x'

# Conflicts:
#	CHANGELOG.md
#	src/Passport.php

Author: driesvints

.github/workflows/tests.yml

@@ -13,7 +13,7 @@ jobs:
     strategy:
       fail-fast: true
       matrix:
-        php: [7.3, 7.4, 8.0]
+        php: [7.3, 7.4, 8.0, 8.1]
         laravel: [^8.0]
 
     name: PHP ${{ matrix.php }} - Laravel ${{ matrix.laravel }}

CHANGELOG.md

@@ -1,6 +1,15 @@
 # Release Notes
 
-## [Unreleased](https://github.com/laravel/passport/compare/v10.1.4...master)
+## [Unreleased](https://github.com/laravel/passport/compare/v10.2.0...master)
+
+
+## [v10.2.0 (2021-11-02)](https://github.com/laravel/passport/compare/v10.1.4...v10.2.0)
+
+### Added
+- Add custom encryption key for JWT tokens ([#1501](https://github.com/laravel/passport/pull/1501))
+
+### Changed
+- Refactor expiry dates to intervals ([#1500](https://github.com/laravel/passport/pull/1500))
 
 
 ## [v10.1.4 (2021-10-19)](https://github.com/laravel/passport/compare/v10.1.3...v10.1.4)

phpunit.xml.dist

@@ -4,6 +4,7 @@
          beStrictAboutTestsThatDoNotTestAnything="false"
          bootstrap="vendor/autoload.php"
          colors="true"
+         convertDeprecationsToExceptions="true"
          convertErrorsToExceptions="true"
          convertNoticesToExceptions="true"
          convertWarningsToExceptions="true"

src/ApiTokenCookieFactory.php

@@ -77,6 +77,6 @@ protected function createToken($userId, $csrfToken, Carbon $expiration)
             'sub' => $userId,
             'csrf' => $csrfToken,
             'expiry' => $expiration->getTimestamp(),
-        ], $this->encrypter->getKey());
+        ], Passport::tokenEncryptionKey($this->encrypter));
     }
 }

src/Guards/TokenGuard.php

@@ -249,7 +249,7 @@ protected function decodeJwtTokenCookie($request)
     {
         return (array) JWT::decode(
             CookieValuePrefix::remove($this->encrypter->decrypt($request->cookie(Passport::cookie()), Passport::$unserializesCookies)),
-            $this->encrypter->getKey(),
+            Passport::tokenEncryptionKey($this->encrypter),
             ['HS256']
         );
     }

src/Passport.php

@@ -5,6 +5,7 @@
 use Carbon\Carbon;
 use DateInterval;
 use DateTimeInterface;
+use Illuminate\Contracts\Encryption\Encrypter;
 use League\OAuth2\Server\ResourceServer;
 use Mockery;
 use Psr\Http\Message\ServerRequestInterface;
@@ -38,23 +39,50 @@ class Passport
      * The date when access tokens expire.
      *
      * @var \DateTimeInterface|null
+     *
+     * @deprecated Will be removed in the next major Passport release.
      */
     public static $tokensExpireAt;
 
+    /**
+     * The interval when access tokens expire.
+     *
+     * @var \DateInterval|null
+     */
+    public static $tokensExpireIn;
+
     /**
      * The date when refresh tokens expire.
      *
      * @var \DateTimeInterface|null
+     *
+     * @deprecated Will be removed in the next major Passport release.
      */
     public static $refreshTokensExpireAt;
 
+    /**
+     * The date when refresh tokens expire.
+     *
+     * @var \DateInterval|null
+     */
+    public static $refreshTokensExpireIn;
+
     /**
      * The date when personal access tokens expire.
      *
      * @var \DateTimeInterface|null
+     *
+     * @deprecated Will be removed in the next major Passport release.
      */
     public static $personalAccessTokensExpireAt;
 
+    /**
+     * The date when personal access tokens expire.
+     *
+     * @var \DateInterval|null
+     */
+    public static $personalAccessTokensExpireIn;
+
     /**
      * The name for API token cookies.
      *
@@ -133,10 +161,19 @@ class Passport
     public static $unserializesCookies = false;
 
     /**
+     * Indicates if client secrets will be hashed.
+     *
      * @var bool
      */
     public static $hashesClientSecrets = false;
 
+    /**
+     * The callback that should be used to generate JWT encryption keys.
+     *
+     * @var callable
+     */
+    public static $tokenEncryptionKeyCallback;
+
     /**
      * Indicates the scope should inherit its parent scope.
      *
@@ -235,12 +272,11 @@ public static function tokensCan(array $scopes)
     public static function tokensExpireIn(DateTimeInterface $date = null)
     {
         if (is_null($date)) {
-            return static::$tokensExpireAt
-                            ? Carbon::now()->diff(static::$tokensExpireAt)
-                            : new DateInterval('P1Y');
+            return static::$tokensExpireIn ?? new DateInterval('P1Y');
         }
 
         static::$tokensExpireAt = $date;
+        static::$tokensExpireIn = Carbon::now()->diff($date);
 
         return new static;
     }
@@ -254,12 +290,11 @@ public static function tokensExpireIn(DateTimeInterface $date = null)
     public static function refreshTokensExpireIn(DateTimeInterface $date = null)
     {
         if (is_null($date)) {
-            return static::$refreshTokensExpireAt
-                            ? Carbon::now()->diff(static::$refreshTokensExpireAt)
-                            : new DateInterval('P1Y');
+            return static::$refreshTokensExpireIn ?? new DateInterval('P1Y');
         }
 
         static::$refreshTokensExpireAt = $date;
+        static::$refreshTokensExpireIn = Carbon::now()->diff($date);
 
         return new static;
     }
@@ -273,12 +308,11 @@ public static function refreshTokensExpireIn(DateTimeInterface $date = null)
     public static function personalAccessTokensExpireIn(DateTimeInterface $date = null)
     {
         if (is_null($date)) {
-            return static::$personalAccessTokensExpireAt
-                ? Carbon::now()->diff(static::$personalAccessTokensExpireAt)
-                : new DateInterval('P1Y');
+            return static::$personalAccessTokensExpireIn ?? new DateInterval('P1Y');
         }
 
         static::$personalAccessTokensExpireAt = $date;
+        static::$personalAccessTokensExpireIn = Carbon::now()->diff($date);
 
         return new static;
     }
@@ -590,6 +624,32 @@ public static function hashClientSecrets()
         return new static;
     }
 
+    /**
+     * Specify the callback that should be invoked to generate encryption keys for encrypting JWT tokens.
+     *
+     * @param  callable  $callback
+     * @return static
+     */
+    public static function encryptTokensUsing($callback)
+    {
+        static::$tokenEncryptionKeyCallback = $callback;
+
+        return new static;
+    }
+
+    /**
+     * Generate an encryption key for encrypting JWT tokens.
+     *
+     * @param  \Illuminate\Contracts\Encryption\Encrypter  $encrypter
+     * @return string
+     */
+    public static function tokenEncryptionKey(Encrypter $encrypter)
+    {
+        return is_callable(static::$tokenEncryptionKeyCallback) ?
+            (static::$tokenEncryptionKeyCallback)($encrypter) :
+            $encrypter->getKey();
+    }
+
     /**
      * Configure Passport to not register its migrations.
      *

tests/Unit/ApiTokenCookieFactoryTest.php

@@ -3,8 +3,10 @@
 namespace Laravel\Passport\Tests\Unit;
 
 use Illuminate\Contracts\Config\Repository;
+use Illuminate\Contracts\Encryption\Encrypter as EncrypterContract;
 use Illuminate\Encryption\Encrypter;
 use Laravel\Passport\ApiTokenCookieFactory;
+use Laravel\Passport\Passport;
 use Mockery as m;
 use PHPUnit\Framework\TestCase;
 use Symfony\Component\HttpFoundation\Cookie;
@@ -33,4 +35,29 @@ public function test_cookie_can_be_successfully_created()
 
         $this->assertInstanceOf(Cookie::class, $cookie);
     }
+
+    public function test_cookie_can_be_successfully_created_when_using_a_custom_encryption_key()
+    {
+        Passport::encryptTokensUsing(function (EncrypterContract $encrypter) {
+            return $encrypter->getKey().'.mykey';
+        });
+
+        $config = m::mock(Repository::class);
+        $config->shouldReceive('get')->with('session')->andReturn([
+            'lifetime' => 120,
+            'path' => '/',
+            'domain' => null,
+            'secure' => true,
+            'same_site' => 'lax',
+        ]);
+        $encrypter = new Encrypter(str_repeat('a', 16));
+        $factory = new ApiTokenCookieFactory($config, $encrypter);
+
+        $cookie = $factory->make(1, 'token');
+
+        $this->assertInstanceOf(Cookie::class, $cookie);
+
+        // Revert to the default encryption method
+        Passport::encryptTokensUsing(null);
+    }
 }

tests/Unit/TokenGuardTest.php

@@ -6,6 +6,7 @@
 use Firebase\JWT\JWT;
 use Illuminate\Container\Container;
 use Illuminate\Contracts\Debug\ExceptionHandler;
+use Illuminate\Contracts\Encryption\Encrypter as EncrypterContract;
 use Illuminate\Cookie\CookieValuePrefix;
 use Illuminate\Encryption\Encrypter;
 use Illuminate\Http\Request;
@@ -229,6 +230,46 @@ public function test_cookie_xsrf_is_verified_against_xsrf_token_header()
         $this->assertNull($guard->user($request));
     }
 
+    public function test_users_may_be_retrieved_from_cookies_with_xsrf_token_header_when_using_a_custom_encryption_key()
+    {
+        Passport::encryptTokensUsing(function (EncrypterContract $encrypter) {
+            return $encrypter->getKey().'.mykey';
+        });
+
+        $resourceServer = m::mock(ResourceServer::class);
+        $userProvider = m::mock(PassportUserProvider::class);
+        $tokens = m::mock(TokenRepository::class);
+        $clients = m::mock(ClientRepository::class);
+        $encrypter = new Encrypter(str_repeat('a', 16));
+
+        $clients->shouldReceive('findActive')
+            ->with(1)
+            ->andReturn(new TokenGuardTestClient);
+
+        $guard = new TokenGuard($resourceServer, $userProvider, $tokens, $clients, $encrypter);
+
+        $request = Request::create('/');
+        $request->headers->set('X-XSRF-TOKEN', $encrypter->encrypt(CookieValuePrefix::create('X-XSRF-TOKEN', $encrypter->getKey()).'token', false));
+        $request->cookies->set('laravel_token',
+            $encrypter->encrypt(CookieValuePrefix::create('laravel_token', $encrypter->getKey()).JWT::encode([
+                'sub' => 1,
+                'aud' => 1,
+                'csrf' => 'token',
+                'expiry' => Carbon::now()->addMinutes(10)->getTimestamp(),
+            ], Passport::tokenEncryptionKey($encrypter)), false)
+        );
+
+        $userProvider->shouldReceive('retrieveById')->with(1)->andReturn($expectedUser = new TokenGuardTestUser);
+        $userProvider->shouldReceive('getProviderName')->andReturn(null);
+
+        $user = $guard->user($request);
+
+        $this->assertEquals($expectedUser, $user);
+
+        // Revert to the default encryption method
+        Passport::encryptTokensUsing(null);
+    }
+
     public function test_xsrf_token_cookie_without_a_token_header_is_not_accepted()
     {
         $resourceServer = m::mock(ResourceServer::class);