Laravel 12 Support (#184)

nie7321 · web-flow · commit 35f9e968ac1d · 2025-02-24T15:59:26.000-06:00
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -6,6 +6,10 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
 ## Unreleased
+## [v11.2.0] - 2025-02-24
+### Added
+- Support for Laravel 12 has been added.
+
 ## [v11.1.0] - 2024-07-17
 ### Changed
 - For Azure Entra ID SSO, a new `token_verifier` option has been added to facilitate multi-tenant configurations.
diff --git a/composer.json b/composer.json
@@ -20,15 +20,15 @@
         "northwestern-sysdev/event-hub-php-sdk": "^3.0",
         "laravel/ui": "^3.0|^2.0|^4.0",
         "lcobucci/jwt": "^4.0",
-        "socialiteproviders/manager": "~4.0",
-        "firebase/php-jwt": "^5.3"
+        "socialiteproviders/manager": "~4.8.1",
+        "firebase/php-jwt": "^6"
     },
     "require-dev": {
-        "orchestra/testbench": "~9.0",
+        "orchestra/testbench": "^10.0",
         "php-coveralls/php-coveralls": "^2.4",
-        "phpunit/phpunit": "^10.0",
+        "phpunit/phpunit": "^11.0",
         "laravel/pint": "^1.13",
-        "larastan/larastan": "^2.0"
+        "larastan/larastan": "^3.0"
     },
     "autoload": {
         "psr-4": {
diff --git a/src/Auth/OAuth2/NorthwesternAzureProvider.php b/src/Auth/OAuth2/NorthwesternAzureProvider.php
@@ -8,7 +8,6 @@
 use Illuminate\Support\Str;
 use Laravel\Socialite\Two\InvalidStateException;
 use Laravel\Socialite\Two\User as TwoUser;
-use Lcobucci\JWT\UnencryptedToken;
 use Northwestern\SysDev\SOA\Auth\OAuth2\TokenVerifier\Contract\TokenVerifierInterface;
 use SocialiteProviders\Manager\OAuth2\AbstractProvider;
 use SocialiteProviders\Manager\OAuth2\User;
diff --git a/src/Auth/OAuth2/TokenVerifier/Contract/AbstractAzureTokenVerifier.php b/src/Auth/OAuth2/TokenVerifier/Contract/AbstractAzureTokenVerifier.php
@@ -43,11 +43,29 @@ public function parseAndVerify(string $jwt): UnencryptedToken
 
         $data = $this->loadKeys();
 
-        $publicKeys = JWK::parseKeySet($data);
+        /**
+         * This is kind of jank, but the `alg` claim in the JWK is not required by the spec, so Microsoft has opted
+         * not to include it.
+         *
+         * As of v6, the JWT library requires either the alg to be provided -or- a default given, to mitigate
+         * CVE-2021-46743, a key type confusion attack. The CVE is probably broadly applicable to any implementation
+         * dealing with these keys missing their `alg` claims.
+         *
+         * If Microsoft updates in the future, they will hopefully start providing the `alg` claim on the new keys in
+         * the keyring. In that case, this will continue to work just fine, since the `alg` claim has priority over
+         * this default.
+         *
+         * @see https://github.com/firebase/php-jwt/issues/498
+         * @see https://github.com/advisories/GHSA-8xf4-w7qw-pjjw
+         * @see https://github.com/firebase/php-jwt/issues/351
+         */
+        $defaultAlgorithm = 'RS256';
+
+        $publicKeys = JWK::parseKeySet($data, $defaultAlgorithm);
         $kid = $token->headers()->get('kid');
 
         if (isset($publicKeys[$kid])) {
-            $publicKey = openssl_pkey_get_details($publicKeys[$kid]);
+            $publicKey = openssl_pkey_get_details($publicKeys[$kid]->getKeyMaterial());
             $constraints = [
                 new SignedWith(new Sha256(), InMemory::plainText($publicKey['key'])),
                 new LooseValidAt(SystemClock::fromSystemTimezone()),
diff --git a/src/Auth/WebSSOAuthentication.php b/src/Auth/WebSSOAuthentication.php
@@ -18,6 +18,9 @@
 use Northwestern\SysDev\SOA\Auth\Strategy\NoSsoSession;
 use Northwestern\SysDev\SOA\Auth\Strategy\WebSSOStrategy;
 
+/**
+ * @phpstan-ignore trait.unused
+ */
 trait WebSSOAuthentication
 {
     use RedirectsUsers, WebSSORoutes;
diff --git a/src/Auth/WebSSORoutes.php b/src/Auth/WebSSORoutes.php
@@ -2,6 +2,9 @@
 
 namespace Northwestern\SysDev\SOA\Auth;
 
+/**
+ * @phpstan-ignore trait.unused
+ */
 trait WebSSORoutes
 {
     /** Route name for your login page */
diff --git a/src/Console/Commands/MakeWebSSO.php b/src/Console/Commands/MakeWebSSO.php
@@ -12,11 +12,13 @@ class MakeWebSSO extends GeneratorCommand
 
     protected $type = 'Controller';
 
-    public function handle()
+    public function handle(): ?bool
     {
         parent::handle();
 
         $this->ejectRoutes();
+
+        return true;
     }
 
     protected function getNameInput()

Original file line number	Diff line number	Diff line change
`@@ -18,6 +18,9 @@`
`18`	`18`	`use Northwestern\SysDev\SOA\Auth\Strategy\NoSsoSession;`
`19`	`19`	`use Northwestern\SysDev\SOA\Auth\Strategy\WebSSOStrategy;`
`20`	`20`
	`21`	`+/**`
	`22`	`+ * @phpstan-ignore trait.unused`
	`23`	`+ */`
`21`	`24`	`trait WebSSOAuthentication`
`22`	`25`	`{`
`23`	`26`	`use RedirectsUsers, WebSSORoutes;`
Original file line number	Diff line number	Diff line change
`@@ -2,6 +2,9 @@`
`2`	`2`
`3`	`3`	`namespace Northwestern\SysDev\SOA\Auth;`
`4`	`4`
	`5`	`+/**`
	`6`	`+ * @phpstan-ignore trait.unused`
	`7`	`+ */`
`5`	`8`	`trait WebSSORoutes`
`6`	`9`	`{`
`7`	`10`	`/** Route name for your login page */`
Original file line number	Diff line number	Diff line change
`@@ -12,11 +12,13 @@ class MakeWebSSO extends GeneratorCommand`
`12`	`12`
`13`	`13`	`protected $type = 'Controller';`
`14`	`14`
`15`		`- public function handle()`
	`15`	`+ public function handle(): ?bool`
`16`	`16`	`{`
`17`	`17`	`parent::handle();`
`18`	`18`
`19`	`19`	`$this->ejectRoutes();`
	`20`	`+`
	`21`	`+ return true;`
`20`	`22`	`}`
`21`	`23`
`22`	`24`	`protected function getNameInput()`