[5.3] Update TokenGuard.php to look for key in query string items onl…

…y. (#14985) * Update TokenGuard.php to look for key in query string items only. Because in Larvel's combined input system, the body items take precedence over query string items. If an item appears in the body that uses the same key as the one being used for the API token, then this body item is then assumed to be the token which could lead to authentication errors especially if the key is being set to a more generic custom name with a high risk of conflict, e.g. 'password'. This file has been edited to restrict the API token to being in the query string only by using request->query instead of request->input which I think is the expected behaviour for token authentication. * Update TokenGuard.php
laravel · Aug 24, 2016 · cbc8d6e · cbc8d6e · alexpli · Aug 29, 2016
1 parent 65927fc
commit cbc8d6e
Showing 1 changed file with 2 additions and 2 deletions.
diff --git a/src/Illuminate/Auth/TokenGuard.php b/src/Illuminate/Auth/TokenGuard.php
@@ -18,7 +18,7 @@ class TokenGuard implements Guard
     protected $request;
 
     /**
-     * The name of the field on the request containing the API token.
+     * The name of the query string item from the request containing the API token.
      *
      * @var string
      */
@@ -80,7 +80,7 @@ public function user()
      */
     public function getTokenForRequest()
     {
-        $token = $this->request->input($this->inputKey);
+        $token = $this->request->query($this->inputKey);
 
         if (empty($token)) {
             $token = $this->request->bearerToken();