laravel · taylorotwell · May 7, 2025 · May 7, 2025 · May 7, 2025
diff --git a/src/Http/Middleware/CheckToken.php b/src/Http/Middleware/CheckToken.php
@@ -2,7 +2,7 @@
 
 namespace Laravel\Passport\Http\Middleware;
 
-use Laravel\Passport\AccessToken;
+use Laravel\Passport\Contracts\ScopeAuthorizable;
 use Laravel\Passport\Exceptions\MissingScopeException;
 
 class CheckToken extends ValidateToken
@@ -12,7 +12,7 @@ class CheckToken extends ValidateToken
      *
      * @throws \Laravel\Passport\Exceptions\MissingScopeException
      */
-    protected function validate(AccessToken $token, string ...$params): void
+    protected function validate(ScopeAuthorizable $token, string ...$params): void
     {
         foreach ($params as $scope) {
             if ($token->cant($scope)) {

diff --git a/src/Http/Middleware/CheckTokenForAnyScope.php b/src/Http/Middleware/CheckTokenForAnyScope.php
@@ -2,7 +2,7 @@
 
 namespace Laravel\Passport\Http\Middleware;
 
-use Laravel\Passport\AccessToken;
+use Laravel\Passport\Contracts\ScopeAuthorizable;
 use Laravel\Passport\Exceptions\MissingScopeException;
 
 class CheckTokenForAnyScope extends ValidateToken
@@ -12,7 +12,7 @@ class CheckTokenForAnyScope extends ValidateToken
      *
      * @throws \Laravel\Passport\Exceptions\MissingScopeException
      */
-    protected function validate(AccessToken $token, string ...$params): void
+    protected function validate(ScopeAuthorizable $token, string ...$params): void
     {
         foreach ($params as $scope) {
             if ($token->can($scope)) {

diff --git a/src/Http/Middleware/EnsureClientIsResourceOwner.php b/src/Http/Middleware/EnsureClientIsResourceOwner.php
@@ -3,6 +3,7 @@
 namespace Laravel\Passport\Http\Middleware;
 
 use Laravel\Passport\AccessToken;
+use Laravel\Passport\Contracts\ScopeAuthorizable;
 use Laravel\Passport\Exceptions\AuthenticationException;
 use Laravel\Passport\Exceptions\MissingScopeException;
 
@@ -13,9 +14,13 @@ class EnsureClientIsResourceOwner extends ValidateToken
      *
      * @throws \Laravel\Passport\Exceptions\AuthenticationException|\Laravel\Passport\Exceptions\MissingScopeException
      */
-    protected function validate(AccessToken $token, string ...$params): void
+    protected function validate(ScopeAuthorizable $token, string ...$params): void
     {
-        if (! is_null($token->oauth_user_id) && $token->oauth_user_id !== $token->oauth_client_id) {
+        if (
+            $token instanceof AccessToken
+            && ! is_null($token->oauth_user_id)
+            && $token->oauth_user_id !== $token->oauth_client_id
+        ) {
             throw new AuthenticationException;
         }
 

diff --git a/src/Http/Middleware/ValidateToken.php b/src/Http/Middleware/ValidateToken.php
@@ -5,6 +5,7 @@
 use Closure;
 use Illuminate\Http\Request;
 use Laravel\Passport\AccessToken;
+use Laravel\Passport\Contracts\ScopeAuthorizable;
 use Laravel\Passport\Exceptions\AuthenticationException;
 use League\OAuth2\Server\Exception\OAuthServerException;
 use League\OAuth2\Server\ResourceServer;
@@ -54,7 +55,7 @@ public function handle(Request $request, Closure $next, string ...$params): Resp
      *
      * @throws \Laravel\Passport\Exceptions\AuthenticationException
      */
-    protected function validateToken(Request $request): AccessToken
+    protected function validateToken(Request $request): ScopeAuthorizable
     {
         // If the user is authenticated and already has an access token set via
         // the token guard, there's no need to validate the request's bearer
@@ -80,5 +81,5 @@ protected function validateToken(Request $request): AccessToken
     /**
      * Validate the given access token.
      */
-    abstract protected function validate(AccessToken $token, string ...$params): void;
+    abstract protected function validate(ScopeAuthorizable $token, string ...$params): void;
 }
diff --git a/tests/Unit/CheckTokenForAnyScopeTest.php b/tests/Unit/CheckTokenForAnyScopeTest.php
@@ -5,8 +5,10 @@
 use Illuminate\Http\Request;
 use Illuminate\Http\Response;
 use Laravel\Passport\AccessToken;
+use Laravel\Passport\Contracts\OAuthenticatable;
 use Laravel\Passport\Exceptions\AuthenticationException;
 use Laravel\Passport\Http\Middleware\CheckTokenForAnyScope;
+use Laravel\Passport\TransientToken;
 use League\OAuth2\Server\Exception\OAuthServerException;
 use League\OAuth2\Server\ResourceServer;
 use Mockery\Adapter\Phpunit\MockeryPHPUnitIntegration;
@@ -41,6 +43,27 @@ public function test_request_is_passed_along_if_token_is_valid()
         $this->assertSame('response', $response->getContent());
     }
 
+    public function test_request_is_passed_along_if_token_is_transient()
+    {
+        $user = m::mock(OAuthenticatable::class);
+        $user->shouldReceive('currentAccessToken')->andReturn(new TransientToken());
+
+        $resourceServer = m::mock(ResourceServer::class);
+        $resourceServer->shouldNotReceive('validateAuthenticatedRequest');
+
+        $middleware = new CheckTokenForAnyScope($resourceServer);
+
+        $request = Request::create('/');
+        $request->headers->set('Authorization', 'Bearer token');
+        $request->setUserResolver(fn () => $user);
+
+        $response = $middleware->handle($request, function () {
+            return new Response('response');
+        }, 'notfoo');
+
+        $this->assertSame('response', $response->getContent());
+    }
+
     public function test_request_is_passed_along_if_token_has_any_required_scope()
     {
         $resourceServer = m::mock(ResourceServer::class);

diff --git a/tests/Unit/CheckTokenTest.php b/tests/Unit/CheckTokenTest.php
@@ -5,8 +5,10 @@
 use Illuminate\Http\Request;
 use Illuminate\Http\Response;
 use Laravel\Passport\AccessToken;
+use Laravel\Passport\Contracts\OAuthenticatable;
 use Laravel\Passport\Exceptions\AuthenticationException;
 use Laravel\Passport\Http\Middleware\CheckToken;
+use Laravel\Passport\TransientToken;
 use League\OAuth2\Server\Exception\OAuthServerException;
 use League\OAuth2\Server\ResourceServer;
 use Mockery\Adapter\Phpunit\MockeryPHPUnitIntegration;
@@ -41,6 +43,27 @@ public function test_request_is_passed_along_if_token_is_valid()
         $this->assertSame('response', $response->getContent());
     }
 
+    public function test_request_is_passed_along_if_token_is_transient()
+    {
+        $user = m::mock(OAuthenticatable::class);
+        $user->shouldReceive('currentAccessToken')->andReturn(new TransientToken());
+
+        $resourceServer = m::mock(ResourceServer::class);
+        $resourceServer->shouldNotReceive('validateAuthenticatedRequest');
+
+        $middleware = new CheckToken($resourceServer);
+
+        $request = Request::create('/');
+        $request->headers->set('Authorization', 'Bearer token');
+        $request->setUserResolver(fn () => $user);
+
+        $response = $middleware->handle($request, function () {
+            return new Response('response');
+        });
+
+        $this->assertSame('response', $response->getContent());
+    }
+
     public function test_request_is_passed_along_if_token_and_scope_are_valid()
     {
         $resourceServer = m::mock(ResourceServer::class);