RememberMe + Socialite

[lsmith77]

• Laravel Version: v9.50.1
• PHP Version: 8.0.23
• Database Driver & Version:

Description:

The issue is a regression caused by: #34020

Steps To Reproduce:

Setup a Laravel app with Socialite (Socialstream in my case). Use social login exclusively to authenticate. As a result password will be empty on the user and therefore the user will be immediately logged out after they were authenticated via their remember me cookie due to the ! $passwordHash check in AuthenticateSession::handle()

framework/src/Illuminate/Session/Middleware/AuthenticateSession.php

Line 46 in 35be259

if (! $passwordHash || $passwordHash != $request->user()->getAuthPassword()) {

A "fix" would be to set a default password on all users but this feels like a security issue waiting to happen.

[driesvints]

You can circumvent this by setting a random password when registering the user. I'm not sure it's wise to change anything here right now with the change being so old.

[lsmith77]

@joelbutcher if I open a PR on socialstream for this, do you prefer a doc tweak or a change to enforce a random password if remember me is enabled?

[joelbutcher]

@lsmith77 I agree with Dries on this, setting a random password per user and emailing this out to them would be the best mitigation of the sec issue.

But, since you're exclusively wanting to use OAuth for authentication and remove email + password auth, I'd prefer this to be a documented "gotcha" rather than a sec related issue Socialstreams tries to solve for all developers as everyone could potentially want a different solution for this.

[lsmith77]

@joelbutcher ok .. on what repo should this be documented? framework, jetstream or socialstream?

[joelbutcher]

@lsmith77 Please send documentation updates to joelbutcher/socialstream-docs