Laravel Passport Authorization failed

Question

After the security improvements of php league oauth2 server, Laravel passport authorization get failed.

Exception says

You must set the encryption key going forward to improve the security of this library - see this page for more information https://oauth2.thephpleague.com/v5-security-improvements/

According to their documentation it is must to set encryption key.

ie

// Setup the authorization server
$server = new AuthorizationServer(
    $clientRepository,
    $accessTokenRepository,
    $scopeRepository,
    $privateKeyPath,
    $publicKeyPath
);
$server->setEncryptionKey('lxZFUEsBCJ2Yb14IF2ygAHI5N4+ZAUXXaSeeJm6+twsUmIen');

but Laravel passport current release does not include this fix.

what I did was added setEncryptionKey() manually to

/vendor/laravel/passport/src/PassportServiceProvider.php

public function makeAuthorizationServer()
    {
        $server = new AuthorizationServer(
            $this->app->make(Bridge\ClientRepository::class),
            $this->app->make(Bridge\AccessTokenRepository::class),
            $this->app->make(Bridge\ScopeRepository::class),
            'file://'.Passport::keyPath('oauth-private.key'),
            'file://'.Passport::keyPath('oauth-public.key')
        );
        $server->setEncryptionKey('lxZFUEsBCJ2Yb14IF2ygAHI5N4+ZAUXXaSeeJm6+twsUmIen');
        return $server;
    }

This is works for me. But technically I can not edit this file. Is there any suitable fix for this ?

Answer 1

Make sure you did update your laravel passport to

"laravel/passport": "^7.0",

More details related to security update are here https://laravel.com/docs/5.6/upgrade

Answer 2

Try this...

sudo chown www-data:www-data storage/oauth-*.key
sudo chmod 600 storage/oauth-*.key

It solves my problem