diff --git a/src/Bridge/ClientRepository.php b/src/Bridge/ClientRepository.php index 204e6e270..d2015d583 100644 --- a/src/Bridge/ClientRepository.php +++ b/src/Bridge/ClientRepository.php @@ -87,16 +87,16 @@ protected function handlesGrant($record, $grantType) } /** + * Verify the client secret is valid. + * * @param string $clientSecret * @param string $storedHash * @return bool */ protected function verifySecret($clientSecret, $storedHash) { - if (Passport::$useHashedClientSecrets) { - $clientSecret = hash('sha256', $clientSecret); - } - - return hash_equals($storedHash, $clientSecret); + return Passport::$hashesClientSecrets + ? hash_equals($storedHash, hash('sha256', $clientSecret)) + : hash_equals($storedHash, $clientSecret); } } diff --git a/src/Client.php b/src/Client.php index 024bb1e1c..a901de637 100644 --- a/src/Client.php +++ b/src/Client.php @@ -42,7 +42,7 @@ class Client extends Model ]; /** - * The temporary non-hashed client secret. + * The temporary plain-text client secret. * * @var string|null */ @@ -83,9 +83,7 @@ public function tokens() /** * The temporary non-hashed client secret. * - * If you're using hashed client secrets, this value will only be available - * once during the request the client was created. Afterwards, it cannot - * be retrieved or decrypted anymore. + * This is only available once during the request that created the client. * * @return string|null */ @@ -95,13 +93,16 @@ public function getPlainSecretAttribute() } /** - * @param string|null $value + * Set the value of the secret attribute. + * + * @param string|null $value + * @return void */ public function setSecretAttribute($value) { $this->plainSecret = $value; - if ($value === null || ! Passport::$useHashedClientSecrets) { + if (is_null($value) || ! Passport::$hashesClientSecrets) { $this->attributes['secret'] = $value; return; diff --git a/src/Passport.php b/src/Passport.php index e9b04fdb8..1794b612f 100644 --- a/src/Passport.php +++ b/src/Passport.php @@ -149,7 +149,7 @@ class Passport /** * @var bool */ - public static $useHashedClientSecrets = false; + public static $hashesClientSecrets = false; /** * Indicates the scope should inherit its parent scope. @@ -631,25 +631,25 @@ public static function refreshToken() } /** - * Configure Passport to not register its migrations. + * Configure Passport to hash client credential secrets. * * @return static */ - public static function ignoreMigrations() + public static function hashClientSecrets() { - static::$runsMigrations = false; + static::$hashesClientSecrets = true; return new static; } /** - * Configure Passport to hash client credential secrets. + * Configure Passport to not register its migrations. * * @return static */ - public static function useHashedClientSecrets() + public static function ignoreMigrations() { - static::$useHashedClientSecrets = true; + static::$runsMigrations = false; return new static; } diff --git a/tests/BridgeClientRepositoryHashedSecretsTest.php b/tests/BridgeClientRepositoryHashedSecretsTest.php index f834c79da..a61c77b65 100644 --- a/tests/BridgeClientRepositoryHashedSecretsTest.php +++ b/tests/BridgeClientRepositoryHashedSecretsTest.php @@ -11,7 +11,7 @@ class BridgeClientRepositoryHashedSecretsTest extends BridgeClientRepositoryTest { protected function setUp(): void { - Passport::useHashedClientSecrets(); + Passport::hashClientSecrets(); $clientModelRepository = m::mock(ClientRepository::class); $clientModelRepository->shouldReceive('findActive') diff --git a/tests/BridgeClientRepositoryTest.php b/tests/BridgeClientRepositoryTest.php index 1f0868de6..3c9ba6391 100644 --- a/tests/BridgeClientRepositoryTest.php +++ b/tests/BridgeClientRepositoryTest.php @@ -23,7 +23,7 @@ class BridgeClientRepositoryTest extends TestCase protected function setUp(): void { - Passport::$useHashedClientSecrets = false; + Passport::$hashesClientSecrets = false; $clientModelRepository = m::mock(ClientRepository::class); $clientModelRepository->shouldReceive('findActive')