feature #315 prevent leaking sensitive data in logs with the SensitiveParameter attribute

jrushlow · web-flow · commit 09d01be86630 · 2024-06-14T04:59:54.000-04:00
diff --git a/src/Generator/ResetPasswordTokenGenerator.php b/src/Generator/ResetPasswordTokenGenerator.php
@@ -26,6 +26,7 @@ class ResetPasswordTokenGenerator
      * @param string $signingKey Unique, random, cryptographically secure string
      */
     public function __construct(
+        #[\SensitiveParameter]
         private string $signingKey,
         private ResetPasswordRandomGenerator $generator
     ) {
diff --git a/src/Model/ResetPasswordRequestTrait.php b/src/Model/ResetPasswordRequestTrait.php
@@ -30,7 +30,7 @@ trait ResetPasswordRequestTrait
     #[ORM\Column(type: Types::DATETIME_IMMUTABLE)]
     protected \DateTimeInterface $expiresAt;
 
-    protected function initialize(\DateTimeInterface $expiresAt, string $selector, string $hashedToken): void
+    protected function initialize(\DateTimeInterface $expiresAt, #[\SensitiveParameter] string $selector, #[\SensitiveParameter] string $hashedToken): void
     {
         $this->requestedAt = new \DateTimeImmutable('now');
         $this->expiresAt = $expiresAt;
diff --git a/src/Model/ResetPasswordTokenComponents.php b/src/Model/ResetPasswordTokenComponents.php
@@ -20,8 +20,13 @@
 class ResetPasswordTokenComponents
 {
     public function __construct(
+        #[\SensitiveParameter]
         private string $selector,
+
+        #[\SensitiveParameter]
         private string $verifier,
+
+        #[\SensitiveParameter]
         private string $hashedToken
     ) {
     }
diff --git a/src/ResetPasswordHelper.php b/src/ResetPasswordHelper.php
@@ -87,7 +87,7 @@ public function generateResetToken(object $user, ?int $resetRequestLifetime = nu
      * @throws ExpiredResetPasswordTokenException
      * @throws InvalidResetPasswordTokenException
      */
-    public function validateTokenAndFetchUser(string $fullToken): object
+    public function validateTokenAndFetchUser(#[\SensitiveParameter] string $fullToken): object
     {
         $this->cleaner->handleGarbageCollection();
 
@@ -123,7 +123,7 @@ public function validateTokenAndFetchUser(string $fullToken): object
     /**
      * @throws InvalidResetPasswordTokenException
      */
-    public function removeResetRequest(string $fullToken): void
+    public function removeResetRequest(#[\SensitiveParameter] string $fullToken): void
     {
         $request = $this->findResetPasswordRequest($fullToken);
 
@@ -159,7 +159,7 @@ public function generateFakeResetToken(?int $resetRequestLifetime = null): Reset
         return new ResetPasswordToken('fake-token', $expiresAt, $generatedAt);
     }
 
-    private function findResetPasswordRequest(string $token): ?ResetPasswordRequestInterface
+    private function findResetPasswordRequest(#[\SensitiveParameter] string $token): ?ResetPasswordRequestInterface
     {
         $selector = substr($token, 0, self::SELECTOR_LENGTH);
 

Original file line number	Diff line number	Diff line change
`@@ -30,7 +30,7 @@ trait ResetPasswordRequestTrait`
`30`	`30`	`#[ORM\Column(type: Types::DATETIME_IMMUTABLE)]`
`31`	`31`	`protected \DateTimeInterface $expiresAt;`
`32`	`32`
`33`		`- protected function initialize(\DateTimeInterface $expiresAt, string $selector, string $hashedToken): void`
	`33`	`+ protected function initialize(\DateTimeInterface $expiresAt, #[\SensitiveParameter] string $selector, #[\SensitiveParameter] string $hashedToken): void`
`34`	`34`	`{`
`35`	`35`	`$this->requestedAt = new \DateTimeImmutable('now');`
`36`	`36`	`$this->expiresAt = $expiresAt;`
Original file line number	Diff line number	Diff line change
`@@ -20,8 +20,13 @@`
`20`	`20`	`class ResetPasswordTokenComponents`
`21`	`21`	`{`
`22`	`22`	`public function __construct(`
	`23`	`+ #[\SensitiveParameter]`
`23`	`24`	`private string $selector,`
	`25`	`+`
	`26`	`+ #[\SensitiveParameter]`
`24`	`27`	`private string $verifier,`
	`28`	`+`
	`29`	`+ #[\SensitiveParameter]`
`25`	`30`	`private string $hashedToken`
`26`	`31`	`) {`
`27`	`32`	`}`
Original file line number	Diff line number	Diff line change
`@@ -87,7 +87,7 @@ public function generateResetToken(object $user, ?int $resetRequestLifetime = nu`
`87`	`87`	`* @throws ExpiredResetPasswordTokenException`
`88`	`88`	`* @throws InvalidResetPasswordTokenException`
`89`	`89`	`*/`
`90`		`- public function validateTokenAndFetchUser(string $fullToken): object`
	`90`	`+ public function validateTokenAndFetchUser(#[\SensitiveParameter] string $fullToken): object`
`91`	`91`	`{`
`92`	`92`	`$this->cleaner->handleGarbageCollection();`
`93`	`93`
`@@ -123,7 +123,7 @@ public function validateTokenAndFetchUser(string $fullToken): object`
`123`	`123`	`/**`
`124`	`124`	`* @throws InvalidResetPasswordTokenException`
`125`	`125`	`*/`
`126`		`- public function removeResetRequest(string $fullToken): void`
	`126`	`+ public function removeResetRequest(#[\SensitiveParameter] string $fullToken): void`
`127`	`127`	`{`
`128`	`128`	`$request = $this->findResetPasswordRequest($fullToken);`
`129`	`129`
`@@ -159,7 +159,7 @@ public function generateFakeResetToken(?int $resetRequestLifetime = null): Reset`
`159`	`159`	`return new ResetPasswordToken('fake-token', $expiresAt, $generatedAt);`
`160`	`160`	`}`
`161`	`161`
`162`		`- private function findResetPasswordRequest(string $token): ?ResetPasswordRequestInterface`
	`162`	`+ private function findResetPasswordRequest(#[\SensitiveParameter] string $token): ?ResetPasswordRequestInterface`
`163`	`163`	`{`
`164`	`164`	`$selector = substr($token, 0, self::SELECTOR_LENGTH);`
`165`	`165`