Passport 4 TokenGuard and Laravel 5.5.42 don't work together

[Zae]

Hi,

I noticed that my auth was broken in passport after upgrading to 5.5.42, it seems that passport uses the decrypt method without checking the $serialize property in the encryptcookie middleware and that causes passport to try and unserialize the cookie even if it is not serialized. Causing an exception and ultimately the auth to fail.

I added a check to my middleware to still serialize the passport cookie to work around this for now.

[Zae]

This is the function in the middleware to make it work btw, it serializes only the passport cookie and uses the $serialize property for the rest.

/**
     * Determine if the cookie contents should be serialized.
     *
     * @param  string  $name
     * @return bool
     */
    public static function serialized($name)
    {
        // Work around the fact that passport:4 can't handle
        // the cookie serialization fix of laravel 5.5.42
        if (class_exists(Passport::class) && $name === Passport::$cookie) {
            return true;
        }

        return static::$serialize;
    }

[zoltiecodes]

Hi. I have the same issue. I tried your solution @Zae but now I'm getting this error:

unserialize(): Error at offset 0 of 187 bytes

I cleared all the cache and sessions just in case. I'm using Laravel 5.5.42 and Passport 4.0.3.

Do you have any idea what to do?

EDITED:
OK it's working. I just had to clear my cookies for the application. Thanks for the solution @Zae !

[walliby]

@Zae your solution worked for me as well. Is this something fixed in a later release of passport? If we are sticking with 5.5.x laravel, should we be using only passport 4.x or can we upgrade passport?

[Zae]

@walliby This is fixed in the latest version, but you need laravel 5.6 for that, the passport version for laravel 5.5 doesn't have this fix (yet). Because i'm still stuck on laravel 5.5 I couldn't use the newer version of passport.

[frdteknikelektro]

I modified my app/Htp/Middleware/EncryptCookies.php

<?php

namespace App\Http\Middleware;

use Illuminate\Cookie\Middleware\EncryptCookies as Middleware;
use Symfony\Component\HttpFoundation\Request;

class EncryptCookies extends Middleware
{
    /**
     * Indicates if the cookies should be serialized.
     *
     * @var bool
     */
    protected static $serialize = true;

    /**
     * The names of the cookies that should not be encrypted.
     *
     * @var array
     */
    protected $except = [
        //
    ];

    /**
     * Decrypt the cookies on the request.
     *
     * @param  \Symfony\Component\HttpFoundation\Request $request
     * @return \Symfony\Component\HttpFoundation\Request
     */
    protected function decrypt(Request $request)
    {
        foreach ($request->cookies as $key => $c) {
            if ($this->isDisabled($key)) {
                continue;
            }

            try {
                $request->cookies->set($key, $this->decryptCookie($key, $c));
            } catch (\Exception $e) {
                $request->cookies->set($key, null);
            }
        }

        return $request;
    }
}

[driesvints]

Heya, unfortunately we don't support such an old Passport version anymore. Please upgrade to the latest version to see if the problem persists.

[archy-bold]

But Laravel 5.5 is the LTS release and Passport v4 has a bug that means it won't work since version Laravel 5.5.42. Isn't Passport an official Laravel package?

[driesvints]

Laravel 5.5 is indeed LTS but Passport 4.0 isn't.

[archy-bold]

Then shouldn't this be documented somewhere?

[driesvints]

I don't know what you mean? It's never been said that Laravel's other libraries had any LTS releases?

[archy-bold]

This is an issue for anyone using Passport with Laravel 5.5. Laravel 5.5 is an LTS release, whether Passport 4 is or not. People are going to encounter this problem, so shouldn't it be documented somewhere about how to deal with the issue?

Your suggestion to upgrade Passport isn't possible for some as they're on the LTS version of Laravel, which is only compatible with an outdated version of Passport. I'm just suggesting the fix from @Zae maybe should be documented.

[walliby]

I agree this is a problem. This means anybody using the latest version of Laravel 5.5 which is LTS cannot configure Passport out of the box. At the very least, the laravel documentation located here should be updated: https://laravel.com/docs/5.5/passport#installation

[driesvints]

You're free to send in a PR. Make sure you link back to this issue so Taylor knows why you're sending it in.

[carsonlius]

it works

[Saneesh]

This is the function in the middleware to make it work btw, it serializes only the passport cookie and uses the $serialize property for the rest.

/**
     * Determine if the cookie contents should be serialized.
     *
     * @param  string  $name
     * @return bool
     */
    public static function serialized($name)
    {
        // Work around the fact that passport:4 can't handle
        // the cookie serialization fix of laravel 5.5.42
        if (class_exists(Passport::class) && $name === Passport::$cookie) {
            return true;
        }

        return static::$serialize;
    }

@Zae,
When I try to access an API from Postman with Bearer with token,
XSRF-TOKEN, _ga and <my_project>_session are coming as $name not laravel_token (Passport::$cookie).

So, it is not passing the condition in serialized().

Laravel : 5.5.44
Passport: 4.0.3
What should I do?