Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
[5.3] Update TokenGuard.php to look for key in query string items onl…
…y. (#14985) * Update TokenGuard.php to look for key in query string items only. Because in Larvel's combined input system, the body items take precedence over query string items. If an item appears in the body that uses the same key as the one being used for the API token, then this body item is then assumed to be the token which could lead to authentication errors especially if the key is being set to a more generic custom name with a high risk of conflict, e.g. 'password'. This file has been edited to restrict the API token to being in the query string only by using request->query instead of request->input which I think is the expected behaviour for token authentication. * Update TokenGuard.php
- Loading branch information
cbc8d6e
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
FYI, i've an issue with this change on some request with the HTTP networking library Alamofire on iOS. I don't know why and I try everything.
cbc8d6e
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes this has cause problem for me, cause we have a huge network of api user who rely on this and the instruction has been given to them to pass the key in the body. Now, with upgrade to 5.3, it has become a problem for us cause, the request are not being authenticated as the missing query string. Would it be possible to maybe have a config for this? So we can decide or not the api key must be passed in the query or not.