severe security issue - authenticated user is passing all types of guards #63
Comments
|
can you post your code? I don't have this issue |
|
@kudlohlavec Can you post your code? Or link to a similar project simulating the error? |
|
It still has this problem ,my code :
the result is the same ! the action method as follow : |
|
@michaelnguyen547 , @sfelix-martins I'm posting related code: This is login method for model 1 (user): This is login method for model 2 (gateway): config/auth.php: app/Http/Kernel.php: app/Providers/AuthServiceProvider.php: I am protecting routes by auth middleware like this: User routes Gateway routes Hope that it will help, however i consider it to be very basic setup... |
|
I got little bit more informations regarding this issue. I tried clean laravel installation where I only added passport and multiauth extension and everything is working as it should be. However I dont understand what can be the problem, for both projects, the broken one and the new one that is working properly, I used same setup steps for implementation of multiauth functionality. The only difference is that broken project runs in docker and the correct one runs directly on localhost... |
|
@kudlohlavec @ShuiPingYang Thanks for you contribution. I will see it ASAP. |
|
Thanks @sfelix-martins . I was also able to reproduce @ShuiPingYang problem with unexisting provider in my docker version. In my correct localhost version, unexisting provider throws error. So as @ShuiPingYang proposed it looks to be the same problem for me and him. |
|
Anyone has a solution? I got the same problem |
|
@bienhoang @kudlohlavec @ShuiPingYang Can you test it, for the good of open source 😄 ? Change your "minimum-stability": "dev",
"prefer-stable": true,
"require": {
"smartins/passport-multiauth": "dev-fix-same-id-model-one-token-4.0",
}And run Give me a feedback, please. |
|
@sfelix-martins Sorry to announce, that it didnt work for me... Still same issue. But it would be for the best if others can confirm it too. |
|
@pakcybershagufta did you tested the instructions from #63 (comment) ? |
|
Please, delete your composer.lock and remove the |
|
Can ii ask one more thing any facility availbe in this package i want secure my categories /countries api which does not require user login? |
|
Do you want that just your client apps use your |
|
Yes exactly.. |
imp point is missing when ever you wnat use multauth you should deifne route something like Route::middleware('multiauth:admin,user')->get('user', function (Request $request) { |
|
@sfelix-martins @kudlohlavec 'guards' => [
'web' => [
'driver' => 'session',
'provider' => 'users',
],
'api' => [
'driver' => 'passport',
'provider' => 'users',
],
'admin' => [
'driver' => 'passport',
'provider' => 'admins',
],
'doctor' => [
'driver' => 'passport',
'provider' => 'doctors',
],
],`When a user (from the User model) gets authenticated it will be able to pass the doctor and admin guard. The same applies to all models. The only difference was that with a user requested token trying to get the user from a doctor guard I would get the user model, and the same happened when requesting the admin data from passing an admin guard. This made me think that maybe my default guard had something to do with this issue since I changed my default to api (user model). I changed my default guard back to web and everything started working as it should. |
|
I installed the Is there a way to do this without the default I want to make a endpoint consisting of only api I do not want to use the default? |
|
same problem here, the bug exists when I changed the default guard. It's okay when the default change back to 'web'. |
|
I had the same problem with Lumen. Could solve this by automatically providing the "provider" param, whenever token is provided I get the token's provider and pass it to Passport. Don't know if this can cause some trouble in any way. For my ongoing project may works fine. public function handle(Request $request, Closure $next)
{
$this->defaultApiProvider = config('auth.guards.api.provider');
$provider = $request->get('provider', 'users');
if ($this->invalidProvider($provider)) {
throw OAuthServerException::invalidRequest('provider');
}
$token = $request->bearerToken();
if($token) {
$parsedToken = (new Parser)->parse($token)->getClaim('jti');
$provider = Provider::find($parsedToken)->provider;
}
config(['auth.guards.api.provider' => $provider]);
return $next($request);
} |
Hi,
I am experiencing severe security issue with version 4.0 . It doesnt appear in version 3.0
Problem is that after retrieval of access token I am able to pass through all of the defined auth guards. I got 2 types of models, however type 1 can go through auth guard 1 and 2 as well and vice versa for model of type 2.
As I have already mentioned, I am not experiencing this bug on version 3.0.
Problematic version combination is:
Laravel - 5.7.15
Passport - 7.0.3
Multiauth - 4.0
EDIT:
I am returning user instance by
Auth::user()as response and when I am accessing guard 1 with token from model 2, I am retrieving user from model 1 as response with id that is same as for model 2.However when I am accessing guard 2 with model 2 I am getting right credentials for that models user. And when I am accessing guard 2 with model 1 I am getting credentials from user of model 1.
The text was updated successfully, but these errors were encountered: