- Got local tests passing

Author: dash8x

.github/workflows/run-tests.yml

@@ -16,10 +16,13 @@ jobs:
         fail-fast: true
         matrix:
             os: [ ubuntu-latest ]
-            php: [ 8.4, 8.3, 8.2, 8.1 ]
-            laravel: [ 12.*, 11.*, 10.*, 9.* ]
+            php: [ 8.4, 8.3, 8.2 ]
+            laravel: [ 13.*, 12.*, 11.* ]
             stability: [ prefer-lowest, prefer-stable ]
             include:
+                -   laravel: 13.*
+                    testbench: 11.*
+                    carbon: ^3.8.4
                 -   laravel: 12.*
                     passport: 12.*
                     testbench: 10.*
@@ -28,19 +31,9 @@ jobs:
                     passport: 12.*
                     testbench: ^9.16
                     carbon: ^2.63
-                -   laravel: 10.*
-                    passport: 11.*
-                    testbench: 8.*
-                    carbon: ^2.63
-                -   laravel: 9.*
-                    passport: 11.*
-                    testbench: 7.*
-                    carbon: ^2.63
             exclude:
-                -   laravel: 12.*
-                    php: 8.1
-                -   laravel: 11.*
-                    php: 8.1
+                -   laravel: 13.*
+                    php: 8.2
 
     name: P${{ matrix.php }} - L${{ matrix.laravel }} - ${{ matrix.stability }} - ${{ matrix.os }}
 

composer.json

@@ -10,14 +10,14 @@
         }
     ],
     "require": {
-        "php": "^8.1",
-        "illuminate/support": "^9.0 || ^10.0 || ^11.0 || ^12.0",
-        "laravel/passport": "^11.10 || ^12.0"
+        "php": "^8.2",
+        "illuminate/support": "^11.35 || ^12.0 || ^13.0",
+        "laravel/passport": "^13.0"
     },
     "require-dev": {
-        "orchestra/testbench": "^7.0 || ^8.0 || ^9.16 || ^10.0",
-        "phpunit/phpunit": "^9.5 || ^10.5 || ^11.5.3",
-        "spatie/laravel-query-builder": "^5.7 || ^6.3"
+        "orchestra/testbench": "^9.16 || ^10.8 || ^11.0",
+        "phpunit/phpunit": "^10.5 || ^11.5.3 || ^12.5.8 || ^13.0.3",
+        "spatie/laravel-query-builder": "^6.3"
     },
     "autoload": {
         "psr-4": {
@@ -31,7 +31,7 @@
     },
     "extra": {
         "branch-alias": {
-            "dev-main": "1.0-dev"
+            "dev-main": "2.0-dev"
         },
         "laravel": {
             "providers": [

docs/metadata.json

@@ -1,5 +1,5 @@
 {
     "name": "Passport",
     "description": "laravel/passport with modifications",
-    "version": "1"
+    "version": "2"
 }

src/Bridge/ScopeRepository.php

@@ -2,8 +2,11 @@
 
 namespace Javaabu\Passport\Bridge;
 
+use Illuminate\Support\Collection;
+use Laravel\Passport\Client;
 use Laravel\Passport\Passport;
 use League\OAuth2\Server\Entities\ClientEntityInterface;
+use League\OAuth2\Server\Entities\ScopeEntityInterface;
 
 class ScopeRepository extends \Laravel\Passport\Bridge\ScopeRepository
 {
@@ -12,20 +15,26 @@ class ScopeRepository extends \Laravel\Passport\Bridge\ScopeRepository
      */
     public function finalizeScopes(
         array $scopes,
-        $grantType,
+        string $grantType,
         ClientEntityInterface $clientEntity,
-        $userIdentifier = null
-    )
+        ?string $userIdentifier = null,
+        ?string $authCodeId = null
+    ): array
     {
         // Allow * scope for social grant
-        if (! in_array($grantType, ['password', 'personal_access', 'client_credentials', 'social'])) {
-            $scopes = collect($scopes)->reject(function ($scope) {
-                return trim($scope->getIdentifier()) === '*';
-            })->values()->all();
-        }
-
-        return collect($scopes)->filter(function ($scope) {
-            return Passport::hasScope($scope->getIdentifier());
-        })->values()->all();
+        return collect($scopes)
+            ->unless(in_array($grantType, ['password', 'personal_access', 'client_credentials', 'social']),
+                fn (Collection $scopes): Collection => $scopes->reject(
+                    fn (ScopeEntityInterface $scope): bool => $scope->getIdentifier() === '*'
+                )
+            )
+            ->filter(fn (ScopeEntityInterface $scope): bool => Passport::hasScope($scope->getIdentifier()))
+            ->when($this->clients->findActive($clientEntity->getIdentifier()),
+                fn (Collection $scopes, Client $client): Collection => $scopes->filter(
+                    fn (ScopeEntityInterface $scope): bool => $client->hasScope($scope->getIdentifier())
+                )
+            )
+            ->values()
+            ->all();
     }
 }

src/Guards/TokenGuard.php

@@ -2,7 +2,8 @@
 
 namespace Javaabu\Passport\Guards;
 
-use Illuminate\Http\Request;
+use Exception;
+use Illuminate\Contracts\Auth\Authenticatable;
 use Javaabu\Passport\Traits\HasUserIdentifier;
 use Laravel\Passport\TransientToken;
 
@@ -12,21 +13,22 @@ class TokenGuard extends \Laravel\Passport\Guards\TokenGuard
 
     /**
      * Authenticate the incoming request via the token cookie.
-     *
-     * @param  Request  $request
-     * @return mixed
      */
-    protected function authenticateViaCookie($request)
+    protected function authenticateViaCookie(): ?Authenticatable
     {
-        if (! $token = $this->getTokenViaCookie($request)) {
-            return;
+        if (! $token = $this->getTokenViaCookie()) {
+            return null;
         }
 
         // If this user exists, we will return this user and attach a "transient" token to
         // the user model. The transient token assumes it has all scopes since the user
         // is physically logged into the application via the application's interface.
-        if ($user = $this->retrieveUserById($token['sub'])) {
-            return $user->withAccessToken(new TransientToken());
+        try {
+            $user = $this->retrieveUserById($token['sub']);
+        } catch (Exception) {
+            return null;
         }
+
+        return $user?->withAccessToken(new TransientToken);
     }
 }

src/Http/Middleware/AuthenticateOAuthClient.php

@@ -9,22 +9,27 @@
 use Illuminate\Auth\Access\AuthorizationException;
 use Illuminate\Auth\AuthenticationException;
 use Illuminate\Auth\Middleware\Authenticate;
+use Illuminate\Contracts\Auth\Authenticatable;
+use Illuminate\Contracts\Encryption\DecryptException;
 use Illuminate\Contracts\Encryption\Encrypter;
 use Illuminate\Cookie\CookieValuePrefix;
 use Illuminate\Cookie\Middleware\EncryptCookies;
 use Illuminate\Http\Request;
+use Javaabu\Passport\Traits\HasUserIdentifier;
+use Laravel\Passport\Client;
 use Laravel\Passport\Exceptions\MissingScopeException;
-use Laravel\Passport\Http\Middleware\CheckClientCredentials;
+use Laravel\Passport\Http\Middleware\CheckToken;
 use Laravel\Passport\Passport;
+use Laravel\Passport\TransientToken;
 
 class AuthenticateOAuthClient
 {
+    use HasUserIdentifier;
+
     /**
-     * The encrypter implementation.
-     *
-     * @var Encrypter
+     * The currently authenticated client.
      */
-    protected $encrypter;
+    protected ?Client $client = null;
 
     /**
      * Create a new token guard instance.
@@ -33,10 +38,10 @@ class AuthenticateOAuthClient
      * @return void
      */
     public function __construct(
-        Encrypter $encrypter
+        protected Encrypter $encrypter,
+        protected Request $request,
     )
     {
-        $this->encrypter = $encrypter;
     }
 
     /**
@@ -74,9 +79,9 @@ public function handle($request, Closure $next, ...$scopes)
         } catch (AuthenticationException $e) {
             try {
                 //authentication failed, try client auth
-                return app(CheckClientCredentials::class)->handle($request, $next, ...$scopes);
+                return app(CheckToken::class)->handle($request, $next, ...$scopes);
             } catch (AuthenticationException $e) {
-                $this->authenticateViaCookie($request);
+                $this->authenticateViaCookie();
 
                 return $next($request);
             }
@@ -91,42 +96,52 @@ protected function getApiGuards(): array
         return config('auth.passport_guards', ['api']);
     }
 
-    /**
-     * Authenticate the incoming request via the token cookie.
-     *
-     * @param  Request  $request
-     * @return void
-     */
-    protected function authenticateViaCookie($request)
+    protected function authenticateViaCookie(): ?Authenticatable
     {
-        if (!$token = $this->getTokenViaCookie($request)) {
-            throw new AuthenticationException();
+        if (! $token = $this->getTokenViaCookie()) {
+            return null;
         }
+
+        // If this user exists, we will return this user and attach a "transient" token to
+        // the user model. The transient token assumes it has all scopes since the user
+        // is physically logged into the application via the application's interface.
+        try {
+            $user = $this->retrieveUserById($token['sub']);
+        } catch (Exception) {
+            return null;
+        }
+
+        return $user?->withAccessToken(new TransientToken);
     }
 
     /**
      * Get the token cookie via the incoming request.
      *
-     * @param  Request  $request
-     * @return mixed
+     * @return array<string, mixed>|null
      */
-    protected function getTokenViaCookie($request)
+    protected function getTokenViaCookie(): ?array
     {
         // If we need to retrieve the token from the cookie, it'll be encrypted so we must
         // first decrypt the cookie and then attempt to find the token value within the
         // database. If we can't decrypt the value we'll bail out with a null return.
         try {
-            $token = $this->decodeJwtTokenCookie($request);
-        } catch (Exception $e) {
-            return;
+            $token = $this->decodeJwtTokenCookie();
+        } catch (Exception) {
+            return null;
+        }
+
+        // Token's expiration time is checked using the "exp" claim during decoding, but
+        // legacy tokens may have an "expiry" claim instead of the standard "exp". So
+        // we must manually check token's expiry, if the "expiry" claim is present.
+        if (isset($token['expiry']) && time() >= $token['expiry']) {
+            return null;
         }
 
         // We will compare the CSRF token in the decoded API token against the CSRF header
         // sent with the request. If they don't match then this request isn't sent from
         // a valid source and we won't authenticate the request for further handling.
-        if (!Passport::$ignoreCsrfToken && (!$this->validCsrf($token, $request) ||
-                time() >= $token['expiry'])) {
-            return;
+        if (! Passport::$ignoreCsrfToken && ! $this->validCsrf($token)) {
+            return null;
         }
 
         return $token;
@@ -135,56 +150,74 @@ protected function getTokenViaCookie($request)
     /**
      * Decode and decrypt the JWT token cookie.
      *
-     * @param  Request  $request
-     * @return array
+     * @return array<string, mixed>
      */
-    protected function decodeJwtTokenCookie($request)
+    protected function decodeJwtTokenCookie(): array
     {
-        return (array)JWT::decode(
-            CookieValuePrefix::remove($this->encrypter->decrypt($request->cookie(Passport::cookie()), Passport::$unserializesCookies)),
-            new Key(Passport::tokenEncryptionKey($this->encrypter), 'HS256'),
+        $jwt = $this->request->cookie(Passport::cookie());
+
+        return (array) JWT::decode(
+            Passport::$decryptsCookies
+                ? CookieValuePrefix::remove($this->encrypter->decrypt($jwt, Passport::$unserializesCookies))
+                : $jwt,
+            new Key(Passport::tokenEncryptionKey($this->encrypter), 'HS256')
         );
     }
 
     /**
      * Determine if the CSRF / header are valid and match.
      *
-     * @param  array                     $token
-     * @param  Request  $request
-     * @return bool
+     * @param  array<string, mixed>  $token
      */
-    protected function validCsrf($token, $request)
+    protected function validCsrf(array $token): bool
     {
-        return isset($token['csrf']) && hash_equals(
-                $token['csrf'],
-                (string)$this->getTokenFromRequest($request)
-            );
+        $requestToken = $this->getTokenFromRequest();
+
+        return isset($token['csrf']) &&
+            is_string($requestToken) &&
+            hash_equals($token['csrf'], $requestToken);
     }
 
     /**
      * Get the CSRF token from the request.
-     *
-     * @param  Request  $request
-     * @return string
      */
-    protected function getTokenFromRequest($request)
+    protected function getTokenFromRequest(): ?string
     {
-        $token = $request->header('X-CSRF-TOKEN');
+        $token = $this->request->header('X-CSRF-TOKEN');
 
-        if (!$token && $header = $request->header('X-XSRF-TOKEN')) {
-            $token = CookieValuePrefix::remove($this->encrypter->decrypt($header, static::serialized()));
+        if (! $token && $header = $this->request->header('X-XSRF-TOKEN')) {
+            try {
+                $token = CookieValuePrefix::remove($this->encrypter->decrypt($header, static::serialized()));
+            } catch (DecryptException) {
+                $token = null;
+            }
         }
 
         return $token;
     }
 
+    public function setRequest(Request $request): static
+    {
+        $this->request = $request;
+
+        return $this;
+    }
+
     /**
      * Determine if the cookie contents should be serialized.
-     *
-     * @return bool
      */
-    public static function serialized()
+    public static function serialized(): bool
     {
         return EncryptCookies::serialized('XSRF-TOKEN');
     }
+
+    /**
+     * Set the client for the current request.
+     */
+    public function setClient(Client $client): static
+    {
+        $this->client = $client;
+
+        return $this;
+    }
 }