[API Module] - Upgrade to Passport 3.0

joselfonseca - 2 weeks ago

There is a security fix in the PHP league oAuth 2 server used by passport, Passport already upgraded in version 3.0 but it requires 5.4 libraries. I guess this question may also introduce the debate about the upgrade to Laravel 5.4, in order to use the latest passport version.

Any ideas?

Answer

- 2 weeks ago

This has been merged! https://github.com/anomalylabs/api-module/pull/9#issuecomment-313446215 We can call it done then. Just make sure you have the latest oAuth2 server by PHP league by running composer update.

ryanthompson - 2 weeks ago

Is there any way to require the later version without the hard update to Laravel 5.4? I plan on skipping it for 5.5 since there was so much breakage in it.

piterden - 2 weeks ago

@joselfonseca Have you looked at how much work need to be done for it? Or you are just proposing?

joselfonseca - 2 weeks ago

Not sure, Passport in the composer.json does require Illuminate 5.4 packages. https://github.com/laravel/passport/blob/3.0/composer.json#L16 The other option would be to add the encryption key somehow in the API module service provider.

$server->setEncryptionKey('lxZFUEsBCJ2Yb14IF2ygAHI5N4+ZAUXXaSeeJm6+twsUmIen');

Maybe overriding this method and adding the key before? https://github.com/laravel/passport/blob/1.0/src/PassportServiceProvider.php#L198

joselfonseca - 2 weeks ago

@piterden I have not look at it in detail, i mean i am just putting the problem in the table to see what we can come up with, Just want to make sure what path makes more sense to @ryanthompson so if he does not have the time I can go in and make a PR, but i first wanted a conversation to know what path to take XD.

piterden - 2 weeks ago

There is almost full stack of artisan commands should be rewritten. And that's not all!

joselfonseca - 2 weeks ago

I bet, I think we can concentrate then in the PHP League server. I am going to see what can be done and propose a solution, I just want to get rid of this message while running my tests

You must set the encryption key going forward to improve the security of this library - see this page for more information https://oauth2.thephpleague.com/v5-security-improvements/

XD

ryanthompson - 2 weeks ago

Indeed - Im open to it! I'd bet if you included a dependency in Streams Platform or even the base Pyro composer.json it'll pull.

Sorry if I prematurely closed that issue - I was on an issue destroying rampage earlier!

joselfonseca - 2 weeks ago

That is cool, I am working on a solution to send a PR, I think I will keep this in the API module so will let you know once i have a it.

ryanthompson - 2 weeks ago

Good idea!

joselfonseca - 2 weeks ago

@ryanthompson here you go https://github.com/anomalylabs/api-module/pull/9 I think we can live with that until support for Passport 3.0 is added (Depends on Pyro migration to 5.4/5.5).

ryanthompson - 2 weeks ago

Close - we've got a small problem on that auth server object. See PR for notes.

Thanks!

joselfonseca - 2 weeks ago

This has been merged! https://github.com/anomalylabs/api-module/pull/9#issuecomment-313446215 We can call it done then. Just make sure you have the latest oAuth2 server by PHP league by running composer update.