Skip to content

Make OidcSession strict-mode safe#3

Merged
chiiya merged 1 commit into
masterfrom
fix/oidc-session-strict-mode
Jun 16, 2026
Merged

Make OidcSession strict-mode safe#3
chiiya merged 1 commit into
masterfrom
fix/oidc-session-strict-mode

Conversation

@chiiya

@chiiya chiiya commented Jun 16, 2026

Copy link
Copy Markdown
Member

Problem

Consumer apps that enable Model::shouldBeStrict() (which turns on preventSilentlyDiscardingAttributes) hit a MassAssignmentException that 500s the /oauth/authorize flow.

SidManager mass-assigns revoked_at in two places — OidcSession::firstOrCreate([... 'revoked_at' => null], ...) and invalidate()'s ->update(['revoked_at' => now()]) — but revoked_at was only in $casts, not $fillable. Under default Eloquent it's silently dropped; under strict mode it throws.

Fix

  • Add revoked_at to OidcSession::$fillable.
  • Regression test: creating + revoking an OidcSession with Model::preventSilentlyDiscardingAttributes() enabled no longer throws.

Full suite green (70 tests).

SidManager mass-assigns revoked_at (firstOrCreate, and invalidate's
update), but it was missing from $fillable — so apps that enable
Model::shouldBeStrict() (preventSilentlyDiscardingAttributes) hit a
MassAssignmentException that 500s the /oauth/authorize flow. Add
revoked_at to $fillable and cover it with a regression test.
@chiiya chiiya merged commit e134484 into master Jun 16, 2026
3 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Development

Successfully merging this pull request may close these issues.

1 participant