[13.x] Fix accessing the plain secret after creating a new confidential client via deprecated ClientController::store (#1861)

hafezdivandari · hettiger · web-flow · commit 9feeb0cacc3c · 2025-10-10T15:34:03.000-05:00
* Fix ClientController::store() breaking change introduced via #1745 ```php - if (Passport::$hashesClientSecrets) { - return ['plainSecret' => $client->plainSecret] + $client->toArray(); - } + $client->secret = $client->plainSecret; return $client->makeVisible('secret'); ``` This change obviously breaks usages that previously relied on the return type array with the additional 'plainSecret' data. E.g., the old Vue components used the plainSecret to present that to the user so that he could save it, etc. Since hashing is now mandatory, I restored the previous behavior without the now obsolete `Passport::$hashesClientSecrets` check: ```php return ['plainSecret' => $client->plainSecret] + $client->toArray(); ``` I also updated the tests. I know it looks a bit fishy but I had not much choice since it's a unit test … (didn't want to make too big of a change out of this … it's deprecated anyways …) * append `plain_secret` * use `append` instead of `mergeAppend` to support L11.x --------- Co-authored-by: Martin Hettiger <martin@hettiger.com>
diff --git a/src/Client.php b/src/Client.php
@@ -134,6 +134,16 @@ protected function secret(): Attribute
         );
     }
 
+    /**
+     * Interact with the client's plain secret.
+     */
+    protected function plainSecret(): Attribute
+    {
+        return Attribute::make(
+            get: fn (): ?string => $this->plainSecret
+        );
+    }
+
     /**
      * Interact with the client's redirect URIs.
      */
diff --git a/src/Http/Controllers/ClientController.php b/src/Http/Controllers/ClientController.php
@@ -49,13 +49,11 @@ public function store(Request $request): Client
         $client = $this->clients->createAuthorizationCodeGrantClient(
             $request->name,
             explode(',', $request->redirect),
-            (bool) $request->input('confidential', true),
+            $confidential = (bool) $request->input('confidential', true),
             $request->user(),
         );
 
-        $client->secret = $client->plainSecret;
-
-        return $client->makeVisible('secret');
+        return $confidential ? $client->append(['plain_secret']) : $client;
     }
 
     /**
diff --git a/tests/Unit/ClientControllerTest.php b/tests/Unit/ClientControllerTest.php
@@ -5,6 +5,7 @@
 use Illuminate\Contracts\Auth\Authenticatable;
 use Illuminate\Contracts\Validation\Factory;
 use Illuminate\Http\Request;
+use Illuminate\Support\Facades\Hash;
 use Laravel\Passport\Client;
 use Laravel\Passport\ClientRepository;
 use Laravel\Passport\Http\Controllers\ClientController;
@@ -41,6 +42,9 @@ public function test_all_the_clients_for_the_current_user_can_be_retrieved()
 
     public function test_clients_can_be_stored()
     {
+        Hash::expects('isHashed')->once()->with('secret')->andReturn(false);
+        Hash::expects('make')->once()->with('secret')->andReturn('hashed_secret');
+
         $clients = m::mock(ClientRepository::class);
         $user = m::mock(Authenticatable::class);
         $user->shouldReceive('getAuthIdentifier')->andReturn(1);
@@ -51,7 +55,11 @@ public function test_clients_can_be_stored()
         $clients->shouldReceive('createAuthorizationCodeGrantClient')
             ->once()
             ->with('client name', ['http://localhost'], true, $user)
-            ->andReturn($client = new Client);
+            ->andReturn($client = new Client([
+                'name' => 'client name',
+                'redirect' => 'http://localhost',
+                'secret' => 'secret',
+            ]));
 
         $redirectRule = m::mock(RedirectRule::class);
 
@@ -71,6 +79,12 @@ public function test_clients_can_be_stored()
         );
 
         $this->assertEquals($client, $controller->store($request));
+        $this->assertSame('hashed_secret', $client->secret);
+        $this->assertSame([
+            'name' => 'client name',
+            'redirect' => 'http://localhost',
+            'plain_secret' => 'secret',
+        ], $client->toArray());
     }
 
     public function test_public_clients_can_be_stored()
@@ -89,7 +103,11 @@ public function test_public_clients_can_be_stored()
         $clients->shouldReceive('createAuthorizationCodeGrantClient')
             ->once()
             ->with('client name', ['http://localhost'], false, $user)
-            ->andReturn($client = new Client);
+            ->andReturn($client = new Client([
+                'name' => 'client name',
+                'redirect' => 'http://localhost',
+                'secret' => null,
+            ]));
 
         $redirectRule = m::mock(RedirectRule::class);
 
@@ -110,6 +128,11 @@ public function test_public_clients_can_be_stored()
         );
 
         $this->assertEquals($client, $controller->store($request));
+        $this->assertNull($client->secret);
+        $this->assertSame([
+            'name' => 'client name',
+            'redirect' => 'http://localhost',
+        ], $client->toArray());
     }
 
     public function test_clients_can_be_updated()
