I noticed that the expires_at column from the "oauth_access_tokens" table is not checked during the token validation, which grants access to users with expired tokens.
For testing, I've used the sample application in the repository below:
https://github.com/neoighodaro/laravel-passport-demo
After running "php artisan passport:install" command, I manually updated the "expires_at" column to a date in the past.
But, the consumer service could still retrieve the results, even with the token expired.
I checked the MYSQL log using :
SET GLOBAL general_log = 'ON';
And the executed query was:
select * from `oauth_access_tokens` where `oauth_access_tokens`.`id` = '3e19b972734fcfdf7951de363fc5e9aeab9ea962cf0de7d686a6d2805879d1c4cfa624973eec6ebf' limit 1
Shouldn't it be:
select * from `oauth_access_tokens` where `oauth_access_tokens`.`id` = '3e19b972734fcfdf7951de363fc5e9aeab9ea962cf0de7d686a6d2805879d1c4cfa624973eec6ebf' and revoked = 0 and expires_at >= <Carbon::now()> limit 1
?