Merge pull request #18601 from ubc-cpsc/chore/security-upgrade-passport13-socialite-jwt7

Upgrade Passport to v13 and move php-jwt to v7 to remediate JWT advisory
2026-03-08 11:51:15 +00:00
parent c9d73e85e1 a956676745
commit a2efcf1ca9
8 changed files with 819 additions and 553 deletions
@@ -69,6 +69,8 @@ jobs:
          php artisan migrate --force
          php artisan passport:install --no-interaction
          chmod -R 777 storage bootstrap/cache
+          chmod 600 storage/oauth-private.key
+          chmod 660 storage/oauth-public.key

      - name: Execute tests (Unit and Feature tests) via PHPUnit
        env:
@@ -67,6 +67,8 @@ jobs:
          php artisan migrate --force
          php artisan passport:install --no-interaction
          chmod -R 777 storage bootstrap/cache
+          chmod 600 storage/oauth-private.key
+          chmod 660 storage/oauth-public.key

      - name: Execute tests (Unit and Feature tests) via PHPUnit
        env:
@@ -56,7 +56,10 @@ jobs:
        run: php artisan passport:keys

      - name: Directory Permissions
-        run: chmod -R 777 storage bootstrap/cache
+        run: |
+          chmod -R 777 storage bootstrap/cache
+          chmod 600 storage/oauth-private.key
+          chmod 660 storage/oauth-public.key

      - name: Execute tests (Unit and Feature tests) via PHPUnit
        env:
@@ -166,7 +166,17 @@ class ProfileController extends Controller
        
        $tokens = $this->tokenRepository->forUser(auth()->user()->getAuthIdentifier());
        $token_values = $tokens->load('client')->filter(function ($token) {
-            return $token->client->personal_access_client && ! $token->revoked;
+            if ($token->revoked || ! $token->client) {
+                return false;
+            }
+
+            $client = $token->client;
+
+            if (method_exists($client, 'hasGrantType')) {
+                return $client->hasGrantType('personal_access');
+            }
+
+            return in_array('personal_access', (array) ($client->grant_types ?? []), true);
        })->values();

        return response()->json(Helper::formatStandardApiResponse('success', $token_values, null));
@@ -265,6 +265,4 @@ class SetupController extends Controller



-
-
 }
@@ -46,7 +46,7 @@
    "laravel-notification-channels/microsoft-teams": "^1.2",
    "laravel/framework": "^11.0",
    "laravel/helpers": "^1.4",
-    "laravel/passport": "^12.0",
+    "laravel/passport": "^13.0",
    "laravel/slack-notification-channel": "^3.4",
    "laravel/socialite": "^5.6",
    "laravel/tinker": "^2.6",
@@ -612,6 +612,13 @@ if ((!file_exists('storage/oauth-public.key')) || (!file_exists('storage/oauth-p
    echo $success_icon." OAuth keys detected. Skipping passport install.\n\n";
 }

+// Normalize key permissions for Passport 13 (covers both fresh installs and upgrades)
+if (PHP_OS !== 'WINNT') {
+    if (file_exists('storage/oauth-private.key')) chmod('storage/oauth-private.key', 0600);
+    if (file_exists('storage/oauth-public.key'))  chmod('storage/oauth-public.key', 0660);
+    echo $success_icon." OAuth key permissions normalized.\n\n";
+}
+

 echo "\e[95m--------------------------------------------------------\n";
 echo "STEP 11: Taking application out of maintenance mode:\n";
				`@@ -265,6 +265,4 @@ class SetupController extends Controller`





				`}`