Make tokens identifiable with prefix and checksum #459
Conversation
| @@ -542,7 +542,7 @@ protected function getPackageProviders($app) | |||
| return [SanctumServiceProvider::class]; | |||
| } | |||
|
|
|||
| public function invalidTokenDataProvider(): array | |||
| public static function invalidTokenDataProvider(): array | |||
There was a problem hiding this comment.
This fixes a phpunit warning, but I'm happy to separate it from the PR if it is too off topic.
|
Thanks 👍 |
| @@ -45,9 +45,16 @@ public function tokenCan(string $ability) | |||
| */ | |||
| public function createToken(string $name, array $abilities = ['*'], DateTimeInterface $expiresAt = null) | |||
| { | |||
| $plainTextToken = sprintf( | |||
| '%s%s%s', | |||
| config('sanctum.token_prefix', ''), | |||
There was a problem hiding this comment.
This will never be empty (unless the env var is defined with empty value), because the vendor's sanctum.php defines a laravel_sanctum_ default value, so the second argument will never be used.
If I understand correctly, this has been included in a minor version release 3.2.6. We use Laravel Sanctum version 3.2. We accidentally realized the tokens now have a "laravel_sanctum_" prefix unless the env var is redefined with empty content, which is unexpected. So we had to define an empty SANCTUM_TOKEN_PREFIX env var to avoid the prefix being prepended.
How is this not a breaking change?
Thanks for any feedback you may have.
There was a problem hiding this comment.
I strongly agree - this is a Breaking-Change!
In addition, our applications validate against the specific structure of the PAT and now all PAT have become longer and incompatible.
This change has to be reverted.
There was a problem hiding this comment.
I agree, a simple solution could be to make the default '' in this config value:
Line 64 in d64ce69
Right now we're exposing laravel_sanctum_ in our API keys. Some of us don't want to expose our stack details, it should be optional IMO.
There was a problem hiding this comment.
We've released a hotfix for this. Please let us know if that works (v3.3.0)
There was a problem hiding this comment.
Thank you! I'm afk, but based on the change in the code the unexpected change in behavior should be gone.
This PR adds prefixes and CRC32 checksums to tokens.
This makes generated tokens more identifiable to increase security posture by enabling the use of secret scanning technologies such as GitHub's secret scanning. With custom prefixes this allows developers onboard secrets they mint to to the GitHub secret scanning partner program.
laravel/framework#47977
Disclosure: I work for GitHub and I am the main engineer involved with the secret scanning partner program.