Bump to 7.11.0

Author: evansims

CHANGELOG.md

@@ -1,5 +1,29 @@
 # Changelog
 
+## [7.11.0](https://github.com/auth0/laravel-auth0/tree/7.10.1) (2023-08-08)
+
+### Added
+
+- Significant performance improvements by eliminating redundant user queries.
+- Compatibility support for [Laravel Telescope](https://laravel.com/docs/telescope). See [docs/Telescope.md](./docs/Telescope.md) for more information.
+- A refactored Events API has been introduced. See [docs/Events.md](./docs/Events.md) for more information.
+- `AUTH0_SESSION_STORAGE` and `AUTH0_TRANSIENT_STORAGE` now support a `cookie` value to enable the native Auth0-PHP SDK cookie session handler. See [docs/Cookies.md](./docs/Cookies.md) for more information.
+
+### Fixed
+
+- Addressed an issue where, under certain circumstances, the first user authentication attempt after a session invalidation could fail.
+
+### Changed
+
+- Session regeneration/invalidation has been refactored.
+- Discarded sessions are now deleted when they are invalidated by the SDK, rather than wait for Laravel to garbage collect.
+- Session storage has been refactored. Session data is now stored as a JSON array in a single `auth0_session` entry in the Laravel session store, rather than in multiple keys.
+
+### Documentation
+
+- A demonstration Eloquent user model and repository implementation has been added to [docs/Eloquent.md](./docs/Eloquent.md).
+- A new [docs/Sessions.md](./docs/Sessions.md) document has been added for guidance on the various session driver options available.
+
 ## [7.10.1](https://github.com/auth0/laravel-auth0/tree/7.10.1) (2023-08-07)
 
 ### Fixed

README.md

@@ -356,11 +356,18 @@ All the SDK's Management API methods are [documented here](./docs/Management.md)
 
 - [Installation](./docs/Installation.md) — Installing the SDK and generating configuration files.
 - [Configuration](./docs/Configuration.md) — Configuring the SDK using JSON files or environment variables.
-- [Management](./docs/Management.md) — Using the SDK to call the [Management API](https://auth0.com/docs/api/management/v2).
-- [Users](./docs/Users.md) — Extending the SDK to support persistent storage and [Eloquent](https://laravel.com/docs/eloquent).
+- [Sessions](./docs/Sessions.md) — Guidance on deciding which Laravel Session API driver to use.
+- [Cookies](./docs/Cookies.md) — Important notes about using Laravel's Cookie session driver, and alternative options.
+- [Management API](./docs/Management.md) — Using the SDK to work with the [Auth0 Management API](https://auth0.com/docs/api/management/v2).
+- [Users](./docs/Users.md) — Extending the SDK to support persistent storage and [Eloquent](https://laravel.com/docs/eloquent) models.
 - [Events](./docs/Events.md) — Hooking into SDK [events](https://laravel.com/docs/events) to respond to specific actions.
 - [Deployment](./docs/Deployment.md) — Deploying your application to production.
-- [Octane](./docs/Octane.md) — We do not support using the SDK with [Octane](https://laravel.com/docs/octane) at this time.
+
+You may find the following integration guidance useful:
+
+- [Laravel Eloquent](./docs/Eloquent.md) — [Eloquent ORM](https://laravel.com/docs/eloquent) is supported.
+- [Laravel Octane](./docs/Octane.md) — [Octane](https://laravel.com/docs/octane) is not supported at this time.
+- [Laravel Telescope](./docs/Telescope.md) — [Telescope](https://laravel.com/docs/telescope) is compatible as of SDK v7.11.0.
 
 You may also find the following resources helpful:
 

composer.json

@@ -114,7 +114,7 @@
         "pest:coverage": "@php vendor/bin/pest --coverage --parallel --no-progress",
         "pest:debug": "@php vendor/bin/pest --fail-on-risky --stop-on-defect",
         "pest:profile": "@php vendor/bin/pest --profile",
-        "pest": "@php vendor/bin/pest --order-by random --fail-on-risky --stop-on-defect --coverage --parallel --min=95",
+        "pest": "@php vendor/bin/pest --order-by random --fail-on-risky --stop-on-defect --parallel",
         "phpcs:fix": "@php vendor/bin/php-cs-fixer fix",
         "phpcs": "@php vendor/bin/php-cs-fixer fix --dry-run --diff",
         "phpstan": "@php vendor/bin/phpstan analyze",

docs/Configuration.md

@@ -268,7 +268,7 @@ The following parameters used in this example are of note:
   - For Laravel applications, this should always be set to `regular`.
 - `--auth-method` - This represents the 'Token Endpoint Authentication Method' used for authentication.
   - For Laravel applications, this should always be set to `post`.
-- `--callbacks` - The callback URLs to use for authentication. 
+- `--callbacks` - The callback URLs to use for authentication.
   - In development, this should be set to `http://localhost:8000/callback` or as appropriate.
   - In production, adjust this value to match your application's Internet-accessible URL for its`/callback`` route.
   - This value can be a comma-separated list of URLs.

docs/Cookies.md

@@ -0,0 +1,47 @@
+# Cookies
+
+We strongly recommend using the `database` or `redis` session drivers, but realize this is not always a viable option for all developers or use cases. The Auth0 Laravel SDK supports cookies for storing authentication state, but there are notable drawbacks to be aware of.
+
+## Laravel's Cookie Session Driver
+
+As noted in our [sessions documentation](./Sessions.md), Laravel's `cookie` session driver is not a reliable option for production applications as it suffers from a number of notable drawbacks:
+
+- Browsers impose a size limit of 4 KB on individual cookies, which can quickly be exceeded by storing session data.
+- Laravel's cookie driver unfortunately does not "chunk" (split up) larger cookies into multiple cookies, so it is impossible to store more than the noted 4 KB of total session data.
+- Most web servers and load balancers require additional configuration to accept and deliver larger cookie headers.
+
+## Auth0 PHP SDK's Custom Cookie Session Handler
+
+The underlying [Auth0 PHP SDK](https://github.com/auth0/auth0-PHP) (which the Auth0 Laravel SDK is built upon) includes a powerful custom cookie session handler that supports chunking of larger cookies. This approach will enable you to securely and reliably store larger authentication states for your users.
+
+It is important to note that this approach is incompatible with [Octane](./Octane.md) due to the way it delivers cookie headers.
+
+To enable this feature, assign a `cookie` string value to the `AUTH0_SESSION_STORAGE` and `AUTH0_TRANSIENT_STORAGE` environment variables (or your `.env` file.)
+
+```ini
+# Persistent session data:
+AUTH0_SESSION_STORAGE=cookie
+
+# Temporary session data (used only during authentication):
+AUTH0_TRANSIENT_STORAGE=cookie
+```
+
+This will override the SDK's default behavior of using the Laravel Sessions API, and instead use the integrated Auth0 PHP SDK's custom cookie session handler. Please note:
+
+- When this feature is enabled, all properties of cookie storage (like `sameSite`, `secure`, and so forth) must be configured independently. This approach does not use Laravel's settings. Please refer to the [Auth0 PHP SDK's documentation](https://github.com/auth0/auth0-PHP) for guidance on how to configure these.
+- By default your Laravel application's `APP_KEY` will be used to encrypt the cookie data. You can change this by assigning the `AUTH0_COOKIE_SECRET` environment variable (or your `.env` file) a string. If you do this, please ensure you are using an adequately long secure secret.
+- Please ensure your server is configured to deliver and accept cookies prefixed with `auth0_session_` and `auth0_transient_` followed by a series of numbers (beginning with 0). These are the divided content body of the authenticated session data.
+
+### Increasing Server Cookies Header Sizes
+
+You may need to configure your web server or load balancer to accept and deliver larger cookie headers. For example, if you are using Nginx you will need to set the `large_client_header_buffers` directive to a value greater than the default of 4 KB.
+
+```nginx
+large_client_header_buffers 4 16k;
+```
+
+Please refer to your web server or load balancer's documentation for more information.
+
+### Reminder on Octane Compatibility
+
+As noted above, the Auth0 PHP SDK's custom cookie session handler is incompatible with [Octane](./Octane.md) due to the way it delivers cookie headers. If you are using Octane, you must use the Laravel Sessions API with a `database` or `redis` driver.

docs/Eloquent.md

@@ -0,0 +1,269 @@
+# Laravel Eloquent
+
+By default, the SDK does not include any Eloquent models or database support. You can adapt the SDK to your application's needs by adding your own Eloquent models and database support.
+
+## Creating a User Model
+
+Begin by creating a new Eloquent model class. You can use the `make:model` Artisan command to do this. Laravel ships with default user model named `User`, so we'll use the `--force` flag to overwrite it with our custom one.
+
+Please ensure you have a backup of your existing `User` model before running this command, as it will overwrite your existing model.
+
+```bash
+php artisan make:model User --force
+```
+
+Next, open your `app/Models/User.php` file and modify it match the following example. Notably, we'll add a support for a new `auth0` attribute. This attribute will be used to store the user's Auth0 ID, which is used to uniquely identify the user in Auth0.
+
+```php
+<?php
+
+declare(strict_types=1);
+
+namespace App\Models;
+
+use Illuminate\Auth\Authenticatable;
+use Illuminate\Contracts\Auth\Access\Authorizable as AuthorizableContract;
+use Illuminate\Contracts\Auth\Authenticatable as AuthenticatableContract;
+use Illuminate\Database\Eloquent\Factories\HasFactory;
+use Illuminate\Database\Eloquent\Model;
+use Illuminate\Foundation\Auth\Access\Authorizable;
+
+class User extends Model implements
+    AuthenticatableContract,
+    AuthorizableContract
+{
+    use Authenticatable,
+        Authorizable,
+        HasFactory;
+
+    protected $fillable = [
+        'auth0',
+        'name',
+        'email',
+        'email_verified',
+        'password',
+    ];
+
+    protected $hidden = [
+        'password',
+        'remember_token',
+    ];
+
+    protected $casts = [
+        'email_verified_at' => 'datetime',
+    ];
+}
+```
+
+Next, create a migration to update your application's `users` table schema to support these changes. Create a new migration file:
+
+```bash
+php artisan make:migration update_users_table --table=users
+```
+
+Openly the newly created migration file (found under `database/migrations` and ending in `update_users_table.php`) and update to match the following example:
+
+```php
+<?php
+
+declare(strict_types=1);
+
+use Illuminate\Database\Migrations\Migration;
+use Illuminate\Database\Schema\Blueprint;
+use Illuminate\Support\Facades\Schema;
+
+return new class extends Migration
+{
+    public function up()
+    {
+        Schema::table('users', function (Blueprint $table) {
+            $table->string('auth0')->nullable();
+            $table->boolean('email_verified')->default(false);
+
+            $table->unique('auth0', 'users_auth0_unique');
+        });
+    }
+
+    public function down()
+    {
+        Schema::table('users', function (Blueprint $table) {
+            $table->dropUnique('users_auth0_unique');
+
+            $table->dropColumn('auth0');
+            $table->dropColumn('email_verified');
+        });
+    }
+};
+
+```
+
+Now run the migration:
+
+```bash
+php artisan migrate
+```
+
+## Creating a User Repository
+
+You'll need to create a new user repository class to handle the creation and retrieval of your Eloquent user models from your database table.
+
+Create a new repository class in your application at `app/Repositories/UserRepository.php`, and update it to match the following example:
+
+```php
+<?php
+
+declare(strict_types=1);
+
+namespace App\Repositories;
+
+use App\Models\User;
+use Auth0\Laravel\{UserRepositoryAbstract, UserRepositoryContract};
+use Illuminate\Contracts\Auth\Authenticatable;
+use Illuminate\Support\Facades\Cache;
+use Illuminate\Support\Facades\Hash;
+use Illuminate\Support\Str;
+
+final class UserRepository extends UserRepositoryAbstract implements UserRepositoryContract
+{
+    public function fromAccessToken(array $user): ?Authenticatable
+    {
+        /*
+            $user = [ // Example of a decoded access token
+                "iss"   => "https://example.auth0.com/",
+                "aud"   => "https://api.example.com/calendar/v1/",
+                "sub"   => "auth0|123456",
+                "exp"   => 1458872196,
+                "iat"   => 1458785796,
+                "scope" => "read write",
+            ];
+        */
+
+        $identifier = $user['sub'] ?? $user['auth0'] ?? null;
+
+        if (null === $identifier) {
+            return null;
+        }
+
+        return User::where('auth0', $identifier)->first();
+    }
+
+    public function fromSession(array $user): ?Authenticatable
+    {
+        /*
+            $user = [ // Example of a decoded ID token
+                "iss"         => "http://example.auth0.com",
+                "aud"         => "client_id",
+                "sub"         => "auth0|123456",
+                "exp"         => 1458872196,
+                "iat"         => 1458785796,
+                "name"        => "Jane Doe",
+                "email"       => "[email protected]",
+            ];
+        */
+
+        // Determine the Auth0 identifier for the user from the $user array.
+        $identifier = $user['sub'] ?? $user['auth0'] ?? null;
+
+        // Collect relevant user profile information from the $user array for use later.
+        $profile = [
+            'auth0' => $identifier,
+            'name' => $user['name'] ?? '',
+            'email' => $user['email'] ?? '',
+            'email_verified' => in_array($user['email_verified'], [1, true], true),
+        ];
+
+        // Check if a cache of the user exists in memory to avoid unnecessary database queries.
+        $cached = $this->withoutRecording(fn () => Cache::get('auth0_user_' . $identifier));
+
+        if ($cached) {
+            // Immediately return a cached user if one exists.
+            return $cached;
+        }
+
+        $user = null;
+
+        // Check if the user exists in the database by Auth0 identifier.
+        if (null !== $identifier) {
+            $user = User::where('auth0', $identifier)->first();
+        }
+
+        // Optional: if the user does not exist in the database by Auth0 identifier, you could fallback to matching by email.
+        if (null === $user && isset($user['email'])) {
+            $user = User::where('email', $user['email'])->first();
+        }
+
+        // If a user was found, check if any updates to the local record are required.
+        if (null !== $user) {
+            $updates = [];
+
+            if ($user->auth0 !== $profile['auth0']) {
+                $updates['auth0'] = $profile['auth0'];
+            }
+
+            if ($user->name !== $profile['name']) {
+                $updates['name'] = $profile['name'];
+            }
+
+            if ($user->email !== $profile['email']) {
+                $updates['email'] = $profile['email'];
+            }
+
+            $emailVerified = in_array($user->email_verified, [1, true], true);
+
+            if ($emailVerified !== $profile['email_verified']) {
+                $updates['email_verified'] = $profile['email_verified'];
+            }
+
+            if ([] !== $updates) {
+                $user->update($updates);
+                $user->save();
+            }
+
+            if ([] === $updates && null !== $cached) {
+                return $user;
+            }
+        }
+
+        if (null === $user) {
+            // Local password column is not necessary or used by Auth0 authentication, but may be expected by some applications/packages.
+            $profile['password'] = Hash::make(Str::random(32));
+
+            // Create the user.
+            $user = User::create($profile);
+        }
+
+        // Cache the user for 30 seconds.
+        $this->withoutRecording(fn () => Cache::put('auth0_user_' . $identifier, $user, 30));
+
+        return $user;
+    }
+
+    /**
+     * Workaround for Laravel Telescope potentially causing an infinite loop.
+     * @link https://github.com/auth0/laravel-auth0/tree/main/docs/Telescope.md
+     *
+     * @param callable $callback
+     */
+    private function withoutRecording($callback): mixed
+    {
+        $telescope = '\Laravel\Telescope\Telescope';
+
+        if (class_exists($telescope)) {
+            return "$telescope"::withoutRecording($callback);
+        }
+
+        return call_user_func($callback);
+    }
+}
+```
+
+Finally, update your application's `config/auth.php` file to configure the SDK to query your new user provider during authentication requests.
+
+```php
+'providers' => [
+  'auth0-provider' => [
+    'driver' => 'auth0.provider',
+    'repository' => \App\Repositories\UserRepository::class,
+  ],
+],
+```

docs/Installation.md

@@ -7,7 +7,7 @@
     - [Create a Laravel Application](#create-a-laravel-application)
     - [Install the SDK](#install-the-sdk-1)
 - [Install the CLI](#install-the-cli)
-    - [Authenticate the CLI](#authenticate-the-cli)
+  - [Authenticate the CLI](#authenticate-the-cli)
 - [Configure the SDK](#configure-the-sdk)
   - [Using JSON (Recommended)](#using-json-recommended)
   - [Using Environment Variables](#using-environment-variables)