Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[5.3] Update TokenGuard.php to look for key in query string items only. #14985

Merged
merged 2 commits into from
Aug 24, 2016

Conversation

malhal
Copy link
Contributor

@malhal malhal commented Aug 24, 2016

Because in Larvel's combined input system, the body items take precedence over query string items. If an item appears in the body that uses the same key as the one being used for the API token, then this body item is then assumed to be the token which could lead to authentication errors especially if the key is being set to a more generic custom name with a high risk of conflict, e.g. 'password'. This file has been edited to restrict the API token to being in the query string only by using request->query instead of request->input which I think is the expected behaviour for token authentication.

After checking the query string it still falls back to looking in the headers for a bearer token or basic auth password as it was originally designed.

I also renamed the variable to queryKey to convey it is only relevant to the query string rather than the combined input, however, given 5.3 is already released this would be a breaking change if anyone has already subclassed TokenGuard to rename the token key. Thus it might be better to leave the variable named inputKey.

Because in Larvel's combined input system, the body items take precedence over query string items. If an item appears in the body that uses the same key as the one being used for the API token, then this body item is then assumed to be the token which could lead to authentication errors especially if the key is being set to a more generic custom name with a high risk of conflict, e.g. 'password'. This file has been edited to restrict the API token to being in the query string only by using request->query instead of request->input which I think is the expected behaviour for token authentication.
*
* @var string
*/
protected $inputKey;
protected $queryKey;
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Doesn't this could potentially be breaking BC, if one extending Illuminate\Auth\TokenGuard and changing the $inputKey.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks I updated the description to mention that potential issue.

Copy link
Member

@crynobone crynobone Aug 24, 2016

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No, you need to stick with the old variable name or send this pull request to master branch (for Laravel 5.4), breaking BC is only permitted on major release.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for letting me know that information. I added a commit reverting back to the old variable name. So now all thats changed is the request->query access and the variable's comment.

@taylorotwell taylorotwell merged commit cbc8d6e into laravel:5.3 Aug 24, 2016
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants