From d12decfe3d437b91b65d6caf52c6020deeaf3174 Mon Sep 17 00:00:00 2001 From: Malcolm Hall Date: Wed, 24 Aug 2016 02:08:01 +0100 Subject: [PATCH 1/2] Update TokenGuard.php to look for key in query string items only. Because in Larvel's combined input system, the body items take precedence over query string items. If an item appears in the body that uses the same key as the one being used for the API token, then this body item is then assumed to be the token which could lead to authentication errors especially if the key is being set to a more generic custom name with a high risk of conflict, e.g. 'password'. This file has been edited to restrict the API token to being in the query string only by using request->query instead of request->input which I think is the expected behaviour for token authentication. --- src/Illuminate/Auth/TokenGuard.php | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/src/Illuminate/Auth/TokenGuard.php b/src/Illuminate/Auth/TokenGuard.php index 071cc759b504..9a6a2c985886 100644 --- a/src/Illuminate/Auth/TokenGuard.php +++ b/src/Illuminate/Auth/TokenGuard.php @@ -18,11 +18,11 @@ class TokenGuard implements Guard protected $request; /** - * The name of the field on the request containing the API token. + * The name of the query string item from the request containing the API token. * * @var string */ - protected $inputKey; + protected $queryKey; /** * The name of the token "column" in persistent storage. @@ -42,7 +42,7 @@ public function __construct(UserProvider $provider, Request $request) { $this->request = $request; $this->provider = $provider; - $this->inputKey = 'api_token'; + $this->queryKey = 'api_token'; $this->storageKey = 'api_token'; } @@ -80,7 +80,7 @@ public function user() */ public function getTokenForRequest() { - $token = $this->request->input($this->inputKey); + $token = $this->request->query($this->queryKey); if (empty($token)) { $token = $this->request->bearerToken(); @@ -101,11 +101,11 @@ public function getTokenForRequest() */ public function validate(array $credentials = []) { - if (empty($credentials[$this->inputKey])) { + if (empty($credentials[$this->queryKey])) { return false; } - $credentials = [$this->storageKey => $credentials[$this->inputKey]]; + $credentials = [$this->storageKey => $credentials[$this->queryKey]]; if ($this->provider->retrieveByCredentials($credentials)) { return true; From 5c99bb6b9ae7fd676eaae23f81879a0ee4b0115b Mon Sep 17 00:00:00 2001 From: Malcolm Hall Date: Wed, 24 Aug 2016 02:42:13 +0100 Subject: [PATCH 2/2] Update TokenGuard.php --- src/Illuminate/Auth/TokenGuard.php | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/src/Illuminate/Auth/TokenGuard.php b/src/Illuminate/Auth/TokenGuard.php index 9a6a2c985886..371120b4ce4c 100644 --- a/src/Illuminate/Auth/TokenGuard.php +++ b/src/Illuminate/Auth/TokenGuard.php @@ -22,7 +22,7 @@ class TokenGuard implements Guard * * @var string */ - protected $queryKey; + protected $inputKey; /** * The name of the token "column" in persistent storage. @@ -42,7 +42,7 @@ public function __construct(UserProvider $provider, Request $request) { $this->request = $request; $this->provider = $provider; - $this->queryKey = 'api_token'; + $this->inputKey = 'api_token'; $this->storageKey = 'api_token'; } @@ -80,7 +80,7 @@ public function user() */ public function getTokenForRequest() { - $token = $this->request->query($this->queryKey); + $token = $this->request->query($this->inputKey); if (empty($token)) { $token = $this->request->bearerToken(); @@ -101,11 +101,11 @@ public function getTokenForRequest() */ public function validate(array $credentials = []) { - if (empty($credentials[$this->queryKey])) { + if (empty($credentials[$this->inputKey])) { return false; } - $credentials = [$this->storageKey => $credentials[$this->queryKey]]; + $credentials = [$this->storageKey => $credentials[$this->inputKey]]; if ($this->provider->retrieveByCredentials($credentials)) { return true;