Skip to content

Commit

Permalink
feature #315 prevent leaking sensitive data in logs with the `Sensiti…
Browse files Browse the repository at this point in the history 
…veParameter` attribute
  • Loading branch information
@jrushlow
jrushlow authored Jun 14, 2024
1 parent 9e01bdc commit 09d01be
Show file tree
Hide file tree
Showing 4 changed files with 10 additions and 4 deletions.
1 change: 1 addition & 0 deletions src/Generator/ResetPasswordTokenGenerator.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -26,6 +26,7 @@ class ResetPasswordTokenGenerator
* @param string $signingKey Unique, random, cryptographically secure string
*/
public function __construct(
#[\SensitiveParameter]
private string $signingKey,
private ResetPasswordRandomGenerator $generator
) {
Expand Down
2 changes: 1 addition & 1 deletion src/Model/ResetPasswordRequestTrait.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -30,7 +30,7 @@ trait ResetPasswordRequestTrait
#[ORM\Column(type: Types::DATETIME_IMMUTABLE)]
protected \DateTimeInterface $expiresAt;

protected function initialize(\DateTimeInterface $expiresAt, string $selector, string $hashedToken): void
protected function initialize(\DateTimeInterface $expiresAt, #[\SensitiveParameter] string $selector, #[\SensitiveParameter] string $hashedToken): void
{
$this->requestedAt = new \DateTimeImmutable('now');
$this->expiresAt = $expiresAt;
Expand Down
5 changes: 5 additions & 0 deletions src/Model/ResetPasswordTokenComponents.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -20,8 +20,13 @@
class ResetPasswordTokenComponents
{
public function __construct(
#[\SensitiveParameter]
private string $selector,

#[\SensitiveParameter]
private string $verifier,

#[\SensitiveParameter]
private string $hashedToken
) {
}
Expand Down
6 changes: 3 additions & 3 deletions src/ResetPasswordHelper.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -87,7 +87,7 @@ public function generateResetToken(object $user, ?int $resetRequestLifetime = nu
* @throws ExpiredResetPasswordTokenException
* @throws InvalidResetPasswordTokenException
*/
public function validateTokenAndFetchUser(string $fullToken): object
public function validateTokenAndFetchUser(#[\SensitiveParameter] string $fullToken): object
{
$this->cleaner->handleGarbageCollection();

Expand Down Expand Up @@ -123,7 +123,7 @@ public function validateTokenAndFetchUser(string $fullToken): object
/**
* @throws InvalidResetPasswordTokenException
*/
public function removeResetRequest(string $fullToken): void
public function removeResetRequest(#[\SensitiveParameter] string $fullToken): void
{
$request = $this->findResetPasswordRequest($fullToken);

Expand Down Expand Up @@ -159,7 +159,7 @@ public function generateFakeResetToken(?int $resetRequestLifetime = null): Reset
return new ResetPasswordToken('fake-token', $expiresAt, $generatedAt);
}

private function findResetPasswordRequest(string $token): ?ResetPasswordRequestInterface
private function findResetPasswordRequest(#[\SensitiveParameter] string $token): ?ResetPasswordRequestInterface
{
$selector = substr($token, 0, self::SELECTOR_LENGTH);

Expand Down

0 comments on commit 09d01be

Please sign in to comment.