Open
Conversation
Regenerate session before login to prevent session fixation attacks. Add null coalescing for groups array from OAuth callback. Changelog: security
Tokens are now encrypted/decrypted transparently via Laravel's encrypted cast, preventing plaintext credential exposure in the DB. Changelog: security
The middleware now returns the redirect response from renew() instead of always proceeding to the next middleware, which caused expired token redirects to be silently discarded. Changelog: fixed
- Remove src/OAuth.php (dead code with misplaced getFacadeAccessor) - Fix facade accessor to use 'oauth' string key - Fix singleton to resolve OAuthService instead of ServiceProvider - Remove unused loadMigrations() method and its call in command Changelog: fixed
- Use unsignedBigInteger for token expiry (2038 problem) - Add index on oauth_id column - Use longText for refresh_token (encrypted values are longer) - Fix copy-paste comments in config - Default user_model_name to App\Models\User - Sanitize regex input with preg_quote in env variable replacement - Use config_path() instead of relative path Changelog: fixed
- Add throttle:5,1 middleware to OAuth routes - Replace Request facade with constructor injection in callback() Changelog: changed
- Use constructor property promotion in OAuthController - Remove nullable params and service locator fallback - Rename EventsOAuthTokenUpdated to OAuthTokenUpdated - Fix Spanish variable name: valorFormateado -> formattedValue - Fix typo: loged -> logged in PHPDoc - Simplify belongsTo: use class string directly Changelog: changed
- Run Pint formatter on all files - Fix renew() return type to ?RedirectResponse (removes Redirector) Changelog: changed
- Restore original migration, add separate alter migration for existing installations (longText, unsignedBigInteger, index) - Add oauth:encrypt-tokens command to migrate plaintext tokens - Add deprecated EventsOAuthTokenUpdated alias for backwards compat - Add UPGRADE.md documenting all breaking changes Changelog: added
The encrypt command had a bug where `continue` skipped the entire record when oauth_token was already encrypted, leaving oauth_refresh_token unencrypted. Now each field is evaluated independently. UPGRADE.md updated to recommend maintenance mode during migration. Changelog: fixed
Laravel 10 reached EOL in Feb 2025. Dropping it avoids the doctrine/dbal dependency for migration ->change() calls. Changelog: removed
Move "Verify Laravel version" to section 1 since it is a prerequisite. Add test for EventsOAuthTokenUpdated deprecated alias. Changelog: fixed
Changelog: changed
Add Laravel 12 to test matrix with testbench 10.* and larastan 3.*. Changelog: changed
- Fix PHPStan type errors for strict mode with phpstan v2 - Ignore env() false positive in config/ (larastan v3 rule) - Use ^9.4/^10.0 testbench in CI matrix to fix prefer-lowest - Allow larastan ^3.0 for Laravel 12 support Changelog: fixed
victore13
approved these changes
Feb 23, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Resolves all issues found during the security and code quality audit. This PR prepares the package for the v1 → v2 major release.
Security
encryptedcast tooauth_tokenandoauth_refresh_tokenin the Eloquent model. Tokens are now encrypted/decrypted transparently via Laravel'sCrypt.Session::regenerate()beforeAuth::guard()->login()in the OAuth callback.$callback['groups'] ?? []in all 3 places to prevent errors when the OAuth provider does not return groups.throttle:5,1middleware to OAuth routes.Bug fixes
OAuthTokenRenewalnow captures and returns the redirect response fromrenew()instead of silently discarding it.'oauth'string, singleton now resolvesOAuthService, deleted deadsrc/OAuth.php.continuethat skipped entire records whenoauth_tokenwas already encrypted, leavingoauth_refresh_tokenunencrypted. Each field is now evaluated independently.preg_quote()when building regex from env variable keys.config_path('oauth.php').guard_name,login_route_name,redirect_route_name_callback_ok.user_model_namedefault from test class toApp\Models\User.mixedconcatenation inOAuthService,@vartype mismatches inOAuthCommandandOAuthController.Upgrade path (v1 → v2)
upgrade_oauth_table_v2) — Changesoauth_refresh_tokentolongText,oauth_token_expires_attounsignedBigInteger, adds index onoauth_id. Originalcreate_oauth_tablemigration preserved for existing installations.oauth:encrypt-tokenscommand — Encrypts existing plaintext tokens in-place, skips already encrypted values, safe to re-run.EventsOAuthTokenUpdatednow extendsOAuthTokenUpdatedas a deprecated alias (will be removed in v3).Code quality
OAuthController(removed nullable + service locator fallback).Requestfacade withIlluminate\Http\Requestinjection incallback().EventsOAuthTokenUpdated→OAuthTokenUpdated.$valorFormateado→$formattedValue.belongsTo—(new $model())::class→$modeldirectly.src/OAuth.php,loadMigrations()method.Breaking changes
doctrine/dbalfor migration->change()calls.OAuthControllerchanged (required params, no more nullable fallback).src/OAuth.phpremoved — UseRaiolanetworks\OAuth\Facades\OAuthinstead.throttle:5,1).CI / DevOps
testbench ^10.0.larastan ^2.0|^3.0,orchestra/testbench ^9.4|^10.0,nunomaduro/collision ^8.1.1.env()false positive in config files (larastan v3 rule), setreportUnmatchedIgnoredErrors: falsefor cross-version compat.^9.4/^10.0instead of9.*/10.*to respect minimum testbench versions.Test plan
EventsOAuthTokenUpdatedis instance ofOAuthTokenUpdated