Merge pull request #119 from NicolasCARPi/nico-sensitive-attr

Add SensitiveParameter to sensitive arguments

Author: RobThree

.github/workflows/test-bacon.yml

@@ -10,10 +10,10 @@ jobs:
 
     strategy:
       matrix:
-        php-version: ['8.1', '8.2']
+        php-version: ['8.2', '8.3']
 
     steps:
-    - uses: actions/checkout@v3
+    - uses: actions/checkout@v4
 
     - uses: shivammathur/setup-php@v2
       with:

.github/workflows/test-endroid.yml

@@ -10,11 +10,11 @@ jobs:
 
     strategy:
       matrix:
-        php-version: ['8.1', '8.2']
+        php-version: ['8.2', '8.3']
         endroid-version: ["^3","^4","^5"]
 
     steps:
-    - uses: actions/checkout@v3
+    - uses: actions/checkout@v4
 
     - uses: shivammathur/setup-php@v2
       with:

.github/workflows/test.yml

@@ -10,10 +10,10 @@ jobs:
 
     strategy:
       matrix:
-        php-version: ['8.1', '8.2']
+        php-version: ['8.2', '8.3']
 
     steps:
-    - uses: actions/checkout@v3
+    - uses: actions/checkout@v4
 
     - uses: shivammathur/setup-php@v2
       with:

CHANGELOG.md

@@ -1,5 +1,17 @@
 # RobThree\TwoFactorAuth changelog
 
+# Version 3.x
+
+## Breaking changes
+
+### PHP Version
+
+Version 3.x requires at least PHP 8.2.
+
+## Other changes
+
+* The new PHP attribute [SensitiveParameter](https://www.php.net/manual/en/class.sensitiveparameter.php) was added to the code, to prevent accidental leak of secrets in stack traces.
+
 # Version 2.x
 
 ## Breaking changes

README.md

@@ -17,7 +17,7 @@ You can make use of the included [Endroid](https://robthree.github.io/TwoFactorA
 
 ## Requirements
 
-* Requires PHP version >=8.1
+* Requires PHP version >=8.2
 * [cURL](http://php.net/manual/en/book.curl.php) when using the provided `QRServerProvider` (default), `ImageChartsQRCodeProvider` or `QRicketProvider` but you can also provide your own QR-code provider.
 
 Optionally, you may need:

composer.json

@@ -27,7 +27,7 @@
         "source": "https://github.com/RobThree/TwoFactorAuth"
     },
     "require": {
-        "php": ">=8.1.0"
+        "php": ">=8.2.0"
     },
     "require-dev": {
         "phpunit/phpunit": "^9",

lib/TwoFactorAuth.php

@@ -14,6 +14,7 @@
 use RobThree\Auth\Providers\Time\ITimeProvider;
 use RobThree\Auth\Providers\Time\LocalMachineTimeProvider;
 use RobThree\Auth\Providers\Time\NTPTimeProvider;
+use SensitiveParameter;
 
 // Based on / inspired by: https://github.com/PHPGangsta/GoogleAuthenticator
 // Algorithms, digits, period etc. explained: https://github.com/google/google-authenticator/wiki/Key-Uri-Format
@@ -66,7 +67,7 @@ public function createSecret(int $bits = 80): string
     /**
      * Calculate the code with given secret and point in time
      */
-    public function getCode(string $secret, ?int $time = null): string
+    public function getCode(#[SensitiveParameter] string $secret, ?int $time = null): string
     {
         $secretkey = $this->base32Decode($secret);
 
@@ -104,7 +105,7 @@ public function verifyCode(string $secret, string $code, int $discrepancy = 1, ?
     /**
      * Get data-uri of QRCode
      */
-    public function getQRCodeImageAsDataUri(string $label, string $secret, int $size = 200): string
+    public function getQRCodeImageAsDataUri(string $label, #[SensitiveParameter] string $secret, int $size = 200): string
     {
         if ($size <= 0) {
             throw new TwoFactorAuthException('Size must be > 0');
@@ -150,7 +151,7 @@ public function ensureCorrectTime(?array $timeproviders = null, int $leniency =
     /**
      * Builds a string to be encoded in a QR code
      */
-    public function getQRText(string $label, string $secret): string
+    public function getQRText(string $label, #[SensitiveParameter] string $secret): string
     {
         return 'otpauth://totp/' . rawurlencode($label)
             . '?secret=' . rawurlencode($secret)