[API Module] - Upgrade to Passport 3.0
Created 6 years ago by joselfonsecaThere is a security fix in the PHP league oAuth 2 server used by passport, Passport already upgraded in version 3.0 but it requires 5.4 libraries. I guess this question may also introduce the debate about the upgrade to Laravel 5.4, in order to use the latest passport version.
Any ideas?
Is there any way to require the later version without the hard update to Laravel 5.4? I plan on skipping it for 5.5 since there was so much breakage in it.
@joselfonseca Have you looked at how much work need to be done for it? Or you are just proposing?
Not sure, Passport in the composer.json does require Illuminate 5.4 packages. https://github.com/laravel/passport/blob/3.0/composer.json#L16 The other option would be to add the encryption key somehow in the API module service provider.
$server->setEncryptionKey('lxZFUEsBCJ2Yb14IF2ygAHI5N4+ZAUXXaSeeJm6+twsUmIen');Maybe overriding this method and adding the key before? https://github.com/laravel/passport/blob/1.0/src/PassportServiceProvider.php#L198
@piterden I have not look at it in detail, i mean i am just putting the problem in the table to see what we can come up with, Just want to make sure what path makes more sense to @ryanthompson so if he does not have the time I can go in and make a PR, but i first wanted a conversation to know what path to take XD.
I bet, I think we can concentrate then in the PHP League server. I am going to see what can be done and propose a solution, I just want to get rid of this message while running my tests
You must set the encryption key going forward to improve the security of this library - see this page for more information https://oauth2.thephpleague.com/v5-security-improvements/XD
Indeed - Im open to it! I'd bet if you included a dependency in Streams Platform or even the base Pyro composer.json it'll pull.
Sorry if I prematurely closed that issue - I was on an issue destroying rampage earlier!
That is cool, I am working on a solution to send a PR, I think I will keep this in the API module so will let you know once i have a it.
Good idea!
@ryanthompson here you go https://github.com/anomalylabs/api-module/pull/9 I think we can live with that until support for Passport 3.0 is added (Depends on Pyro migration to 5.4/5.5).
This has been merged! https://github.com/anomalylabs/api-module/pull/9#issuecomment-313446215 We can call it done then. Just make sure you have the latest oAuth2 server by PHP league by running composer update.
This has been merged! https://github.com/anomalylabs/api-module/pull/9#issuecomment-313446215 We can call it done then. Just make sure you have the latest oAuth2 server by PHP league by running composer update.