[13.x] Fix session JSON serialization (#1905)

hafezdivandari · web-flow · commit f4f85e3122c7 · 2026-04-07T08:08:13.000-05:00
* fix json serialization

* add tests

* fix tests
diff --git a/src/Http/Controllers/AuthorizationController.php b/src/Http/Controllers/AuthorizationController.php
@@ -82,7 +82,7 @@ public function authorize(
         }
 
         $request->session()->put('authToken', $authToken = Str::random());
-        $request->session()->put('authRequest', $authRequest);
+        $request->session()->put('authRequest', serialize($authRequest));
 
         return $viewResponse->withParameters([
             'client' => $client,
diff --git a/src/Http/Controllers/DeviceAuthorizationController.php b/src/Http/Controllers/DeviceAuthorizationController.php
@@ -55,7 +55,7 @@ public function __invoke(
         $client = $this->clients->find($deviceCode->getClient()->getIdentifier());
 
         $request->session()->put('authToken', $authToken = Str::random());
-        $request->session()->put('deviceCode', $deviceCode);
+        $request->session()->put('deviceCode', serialize($deviceCode));
 
         return $viewResponse->withParameters([
             'client' => $client,
diff --git a/src/Http/Controllers/RetrievesAuthRequestFromSession.php b/src/Http/Controllers/RetrievesAuthRequestFromSession.php
@@ -24,7 +24,14 @@ protected function getAuthRequestFromSession(Request $request): AuthorizationReq
             throw InvalidAuthTokenException::different();
         }
 
-        return $request->session()->pull('authRequest')
+        $authRequest = $request->session()->pull('authRequest')
             ?? throw new Exception('Authorization request was not present in the session.');
+
+        return unserialize($authRequest, ['allowed_classes' => [
+            \League\OAuth2\Server\RequestTypes\AuthorizationRequest::class,
+            \Laravel\Passport\Bridge\Client::class,
+            \Laravel\Passport\Bridge\Scope::class,
+            \Laravel\Passport\Bridge\User::class,
+        ]]);
     }
 }
diff --git a/src/Http/Controllers/RetrievesDeviceCodeFromSession.php b/src/Http/Controllers/RetrievesDeviceCodeFromSession.php
@@ -24,7 +24,14 @@ protected function getDeviceCodeFromSession(Request $request): DeviceCodeEntityI
             throw InvalidAuthTokenException::different();
         }
 
-        return $request->session()->pull('deviceCode')
+        $deviceCode = $request->session()->pull('deviceCode')
             ?? throw new Exception('Device code was not present in the session.');
+
+        return unserialize($deviceCode, ['allowed_classes' => [
+            \Laravel\Passport\Bridge\DeviceCode::class,
+            \Laravel\Passport\Bridge\Client::class,
+            \Laravel\Passport\Bridge\Scope::class,
+            \DateTimeImmutable::class,
+        ]]);
     }
 }
diff --git a/tests/Feature/AuthorizationCodeGrantTest.php b/tests/Feature/AuthorizationCodeGrantTest.php
@@ -7,6 +7,7 @@
 use Illuminate\Support\Str;
 use Laravel\Passport\Database\Factories\ClientFactory;
 use Laravel\Passport\Passport;
+use Orchestra\Testbench\Attributes\WithConfig;
 use Orchestra\Testbench\Concerns\WithLaravelMigrations;
 use Workbench\Database\Factories\UserFactory;
 
@@ -254,6 +255,35 @@ public function testPromptConsentForNewScope()
         $this->assertSame(collect(Passport::scopesFor(['create', 'update']))->toArray(), $json['scopes']);
     }
 
+    #[WithConfig('session.serialization', 'json')]
+    public function testAuthRequestSerialization()
+    {
+        $client = ClientFactory::new()->create();
+
+        $query = http_build_query([
+            'client_id' => $client->getKey(),
+            'redirect_uri' => $client->redirect_uris[0],
+            'response_type' => 'code',
+            'scope' => 'create read',
+            'state' => Str::random(40),
+        ]);
+
+        $this->actingAs(UserFactory::new()->create(), 'web');
+
+        $json = $this->get('/oauth/authorize?'.$query)
+            ->assertOk()
+            ->assertSessionHas('authRequest')
+            ->assertSessionHas('authToken')
+            ->json();
+
+        $this->assertEqualsCanonicalizing(['client', 'user', 'scopes', 'request', 'authToken'], array_keys($json));
+        $this->assertSame(collect(Passport::scopesFor(['create', 'read']))->toArray(), $json['scopes']);
+
+        $this->post('/oauth/authorize', ['auth_token' => $json['authToken']])
+            ->assertRedirect()
+            ->assertSessionMissing(['authRequest', 'authToken']);
+    }
+
     public function testValidateAuthorizationRequest()
     {
         $client = ClientFactory::new()->create();
diff --git a/tests/Feature/DeviceAuthorizationGrantTest.php b/tests/Feature/DeviceAuthorizationGrantTest.php
@@ -7,6 +7,7 @@
 use Illuminate\Support\Str;
 use Laravel\Passport\Database\Factories\ClientFactory;
 use Laravel\Passport\Passport;
+use Orchestra\Testbench\Attributes\WithConfig;
 use Orchestra\Testbench\Concerns\WithLaravelMigrations;
 use Workbench\Database\Factories\UserFactory;
 
@@ -226,6 +227,33 @@ public function testDenyAuthorization()
         $this->assertSame('access_denied', $json['error']);
     }
 
+    #[WithConfig('session.serialization', 'json')]
+    public function testDeviceCodeSerialization()
+    {
+        $client = ClientFactory::new()->asDeviceCodeClient()->create();
+
+        ['user_code' => $userCode] = $this->post('/oauth/device/code', [
+            'client_id' => $client->getKey(),
+            'scope' => 'create read',
+        ])->assertOk()->json();
+
+        $user = UserFactory::new()->create();
+        $this->actingAs($user, 'web');
+
+        $json = $this->get('/oauth/device/authorize?user_code='.$userCode)
+            ->assertOk()
+            ->assertSessionHas('deviceCode')
+            ->assertSessionHas('authToken')
+            ->json();
+        $this->assertEqualsCanonicalizing(['client', 'user', 'scopes', 'request', 'authToken'], array_keys($json));
+        $this->assertSame(collect(Passport::scopesFor(['create', 'read']))->toArray(), $json['scopes']);
+
+        $this->post('/oauth/device/authorize', ['auth_token' => $json['authToken']])
+            ->assertRedirectToRoute('passport.device')
+            ->assertSessionHas('status', 'authorization-approved')
+            ->assertSessionMissing(['deviceCode', 'authToken']);
+    }
+
     public function testPublicClient()
     {
         $client = ClientFactory::new()->asDeviceCodeClient()->asPublic()->create();
diff --git a/tests/Unit/ApproveAuthorizationControllerTest.php b/tests/Unit/ApproveAuthorizationControllerTest.php
@@ -28,22 +28,25 @@ public function test_complete_authorization_request()
         $request->shouldReceive('isNotFilled')->with('auth_token')->andReturn(false);
         $request->shouldReceive('input')->with('auth_token')->andReturn('foo');
 
+        $authRequest = new AuthorizationRequest;
+        $authRequest->setGrantTypeId('authorization_code');
+
         $session->shouldReceive('pull')->once()->with('authToken')->andReturn('foo');
         $session->shouldReceive('pull')
             ->once()
             ->with('authRequest')
-            ->andReturn($authRequest = m::mock(AuthorizationRequest::class));
+            ->andReturn(serialize($authRequest));
 
         $request->shouldReceive('user')->andReturn(new ApproveAuthorizationControllerFakeUser);
 
-        $authRequest->shouldReceive('getGrantTypeId')->once()->andReturn('authorization_code');
-        $authRequest->shouldReceive('setAuthorizationApproved')->once()->with(true);
-
         $psrResponse = (new PsrHttpFactory)->createResponse(new Response);
         $psrResponse->getBody()->write('response');
 
         $server->shouldReceive('completeAuthorizationRequest')
-            ->with($authRequest, m::type(ResponseInterface::class))
+            ->with(
+                m::on(fn (AuthorizationRequest $request) => $request->isAuthorizationApproved()),
+                m::type(ResponseInterface::class)
+            )
             ->andReturn($psrResponse);
 
         $this->assertSame('response', $controller->approve($request, $psrResponse)->getContent());
diff --git a/tests/Unit/AuthorizationControllerTest.php b/tests/Unit/AuthorizationControllerTest.php
@@ -16,7 +16,6 @@
 use League\OAuth2\Server\AuthorizationServer;
 use League\OAuth2\Server\Exception\OAuthServerException as LeagueException;
 use League\OAuth2\Server\RequestTypes\AuthorizationRequest;
-use League\OAuth2\Server\RequestTypes\AuthorizationRequestInterface;
 use Mockery\Adapter\Phpunit\MockeryPHPUnitIntegration;
 use Mockery as m;
 use PHPUnit\Framework\TestCase;
@@ -39,24 +38,24 @@ public function test_authorization_view_is_presented()
         $response = m::mock(AuthorizationViewResponse::class);
         $guard = m::mock(StatefulGuard::class);
 
+        $authRequest = new AuthorizationRequest;
+        $authRequest->setClient(new \Laravel\Passport\Bridge\Client('1', 'Test Client'));
+        $authRequest->setScopes([new Scope('scope-1')]);
+
         $guard->shouldReceive('guest')->andReturn(false);
         $guard->shouldReceive('user')->andReturn($user = m::mock(Authenticatable::class));
-        $server->shouldReceive('validateAuthorizationRequest')->andReturn($authRequest = m::mock(AuthorizationRequestInterface::class));
+        $server->shouldReceive('validateAuthorizationRequest')->andReturn($authRequest);
 
         $psrRequest = m::mock(ServerRequestInterface::class);
         $psrRequest->shouldReceive('getQueryParams')->andReturn([]);
 
         $request = m::mock(Request::class);
         $request->shouldReceive('session')->andReturn($session = m::mock());
         $session->shouldReceive('put')->withSomeOfArgs('authToken');
-        $session->shouldReceive('put')->with('authRequest', $authRequest);
+        $session->shouldReceive('put')->with('authRequest', m::on(fn ($value) => is_string($value)))->once();
         $session->shouldReceive('forget')->with('promptedForLogin')->once();
         $request->shouldReceive('input')->with('prompt')->andReturn(null);
 
-        $authRequest->shouldReceive('getClient->getIdentifier')->andReturn(1);
-        $authRequest->shouldReceive('getScopes')->andReturn([new Scope('scope-1')]);
-        $authRequest->shouldReceive('setUser')->once();
-
         $clients = m::mock(ClientRepository::class);
         $clients->shouldReceive('find')->with(1)->andReturn($client = m::mock(Client::class));
         $client->shouldReceive('skipsAuthorization')->andReturn(false);
@@ -210,11 +209,14 @@ public function test_authorization_view_is_presented_if_request_has_prompt_equal
         $response = m::mock(AuthorizationViewResponse::class);
         $guard = m::mock(StatefulGuard::class);
 
+        $authRequest = new AuthorizationRequest;
+        $authRequest->setClient(new \Laravel\Passport\Bridge\Client('1', 'Test Client'));
+        $authRequest->setScopes([new Scope('scope-1')]);
+
         $guard->shouldReceive('guest')->andReturn(false);
         $guard->shouldReceive('user')->andReturn($user = m::mock(Authenticatable::class));
         $user->shouldReceive('getAuthIdentifier')->andReturn(1);
-        $server->shouldReceive('validateAuthorizationRequest')
-            ->andReturn($authRequest = m::mock(AuthorizationRequest::class));
+        $server->shouldReceive('validateAuthorizationRequest')->andReturn($authRequest);
 
         $psrRequest = m::mock(ServerRequestInterface::class);
         $psrRequest->shouldReceive('getQueryParams')->andReturn([]);
@@ -224,14 +226,10 @@ public function test_authorization_view_is_presented_if_request_has_prompt_equal
         $request = m::mock(Request::class);
         $request->shouldReceive('session')->andReturn($session = m::mock());
         $session->shouldReceive('put')->withSomeOfArgs('authToken');
-        $session->shouldReceive('put')->with('authRequest', $authRequest);
+        $session->shouldReceive('put')->with('authRequest', m::on(fn ($value) => is_string($value)))->once();
         $session->shouldReceive('forget')->with('promptedForLogin')->once();
         $request->shouldReceive('input')->with('prompt')->andReturn('consent');
 
-        $authRequest->shouldReceive('getClient->getIdentifier')->once()->andReturn(1);
-        $authRequest->shouldReceive('getScopes')->once()->andReturn([new Scope('scope-1')]);
-        $authRequest->shouldReceive('setUser')->once()->andReturnNull();
-
         $clients = m::mock(ClientRepository::class);
         $clients->shouldReceive('find')->with(1)->andReturn($client = m::mock(Client::class));
         $client->shouldReceive('skipsAuthorization')->andReturn(false);
diff --git a/tests/Unit/DenyAuthorizationControllerTest.php b/tests/Unit/DenyAuthorizationControllerTest.php
@@ -30,22 +30,23 @@ public function test_authorization_can_be_denied()
         $request->shouldReceive('isNotFilled')->with('auth_token')->andReturn(false);
         $request->shouldReceive('input')->with('auth_token')->andReturn('foo');
 
+        $authRequest = new AuthorizationRequest;
+        $authRequest->setGrantTypeId('authorization_code');
+
         $session->shouldReceive('pull')->once()->with('authToken')->andReturn('foo');
         $session->shouldReceive('pull')
             ->once()
             ->with('authRequest')
-            ->andReturn($authRequest = m::mock(
-                AuthorizationRequest::class
-            ));
-
-        $authRequest->shouldReceive('getGrantTypeId')->once()->andReturn('authorization_code');
-        $authRequest->shouldReceive('setAuthorizationApproved')->once()->with(false);
+            ->andReturn(serialize($authRequest));
 
         $psrResponse = m::mock(ResponseInterface::class);
         app()->instance(ResponseInterface::class, (new PsrHttpFactory)->createResponse(new Response));
 
         $server->shouldReceive('completeAuthorizationRequest')
-            ->with($authRequest, m::type(ResponseInterface::class))
+            ->with(
+                m::on(fn (AuthorizationRequest $request) => ! $request->isAuthorizationApproved()),
+                m::type(ResponseInterface::class)
+            )
             ->andReturnUsing(function () {
                 throw new \League\OAuth2\Server\Exception\OAuthServerException('', 0, '');
             });
@@ -80,13 +81,3 @@ public function test_auth_request_should_exist()
         $controller->deny($request, $psrResponse);
     }
 }
-
-class DenyAuthorizationControllerFakeUser
-{
-    public $id = 1;
-
-    public function getAuthIdentifier()
-    {
-        return $this->id;
-    }
-}

Original file line number	Diff line number	Diff line change
`@@ -82,7 +82,7 @@ public function authorize(`
`82`	`82`	`}`
`83`	`83`
`84`	`84`	`$request->session()->put('authToken', $authToken = Str::random());`
`85`		`- $request->session()->put('authRequest', $authRequest);`
	`85`	`+ $request->session()->put('authRequest', serialize($authRequest));`
`86`	`86`
`87`	`87`	`return $viewResponse->withParameters([`
`88`	`88`	`'client' => $client,`
Original file line number	Diff line number	Diff line change
`@@ -24,7 +24,14 @@ protected function getAuthRequestFromSession(Request $request): AuthorizationReq`
`24`	`24`	`throw InvalidAuthTokenException::different();`
`25`	`25`	`}`
`26`	`26`
`27`		`- return $request->session()->pull('authRequest')`
	`27`	`+ $authRequest = $request->session()->pull('authRequest')`
`28`	`28`	`?? throw new Exception('Authorization request was not present in the session.');`
	`29`	`+`
	`30`	`+ return unserialize($authRequest, ['allowed_classes' => [`
	`31`	`+ \League\OAuth2\Server\RequestTypes\AuthorizationRequest::class,`
	`32`	`+ \Laravel\Passport\Bridge\Client::class,`
	`33`	`+ \Laravel\Passport\Bridge\Scope::class,`
	`34`	`+ \Laravel\Passport\Bridge\User::class,`
	`35`	`+ ]]);`
`29`	`36`	`}`
`30`	`37`	`}`