From 09d01be866303ba2c111b428f59c20a1b12182d1 Mon Sep 17 00:00:00 2001
From: Jesse Rushlow <40327885+jrushlow@users.noreply.github.com>
Date: Fri, 14 Jun 2024 04:59:54 -0400
Subject: [PATCH] feature #315 prevent leaking sensitive data in logs with the
 `SensitiveParameter` attribute

---
 src/Generator/ResetPasswordTokenGenerator.php | 1 +
 src/Model/ResetPasswordRequestTrait.php       | 2 +-
 src/Model/ResetPasswordTokenComponents.php    | 5 +++++
 src/ResetPasswordHelper.php                   | 6 +++---
 4 files changed, 10 insertions(+), 4 deletions(-)

diff --git a/src/Generator/ResetPasswordTokenGenerator.php b/src/Generator/ResetPasswordTokenGenerator.php
index d2b4dbfb..8e5ce354 100644
--- a/src/Generator/ResetPasswordTokenGenerator.php
+++ b/src/Generator/ResetPasswordTokenGenerator.php
@@ -26,6 +26,7 @@ class ResetPasswordTokenGenerator
      * @param string $signingKey Unique, random, cryptographically secure string
      */
     public function __construct(
+        #[\SensitiveParameter]
         private string $signingKey,
         private ResetPasswordRandomGenerator $generator
     ) {
diff --git a/src/Model/ResetPasswordRequestTrait.php b/src/Model/ResetPasswordRequestTrait.php
index 811d5ef3..5cc5615e 100644
--- a/src/Model/ResetPasswordRequestTrait.php
+++ b/src/Model/ResetPasswordRequestTrait.php
@@ -30,7 +30,7 @@ trait ResetPasswordRequestTrait
     #[ORM\Column(type: Types::DATETIME_IMMUTABLE)]
     protected \DateTimeInterface $expiresAt;
 
-    protected function initialize(\DateTimeInterface $expiresAt, string $selector, string $hashedToken): void
+    protected function initialize(\DateTimeInterface $expiresAt, #[\SensitiveParameter] string $selector, #[\SensitiveParameter] string $hashedToken): void
     {
         $this->requestedAt = new \DateTimeImmutable('now');
         $this->expiresAt = $expiresAt;
diff --git a/src/Model/ResetPasswordTokenComponents.php b/src/Model/ResetPasswordTokenComponents.php
index 97b2ef68..4d382982 100644
--- a/src/Model/ResetPasswordTokenComponents.php
+++ b/src/Model/ResetPasswordTokenComponents.php
@@ -20,8 +20,13 @@
 class ResetPasswordTokenComponents
 {
     public function __construct(
+        #[\SensitiveParameter]
         private string $selector,
+
+        #[\SensitiveParameter]
         private string $verifier,
+
+        #[\SensitiveParameter]
         private string $hashedToken
     ) {
     }
diff --git a/src/ResetPasswordHelper.php b/src/ResetPasswordHelper.php
index b750ea85..bd286dd5 100644
--- a/src/ResetPasswordHelper.php
+++ b/src/ResetPasswordHelper.php
@@ -87,7 +87,7 @@ public function generateResetToken(object $user, ?int $resetRequestLifetime = nu
      * @throws ExpiredResetPasswordTokenException
      * @throws InvalidResetPasswordTokenException
      */
-    public function validateTokenAndFetchUser(string $fullToken): object
+    public function validateTokenAndFetchUser(#[\SensitiveParameter] string $fullToken): object
     {
         $this->cleaner->handleGarbageCollection();
 
@@ -123,7 +123,7 @@ public function validateTokenAndFetchUser(string $fullToken): object
     /**
      * @throws InvalidResetPasswordTokenException
      */
-    public function removeResetRequest(string $fullToken): void
+    public function removeResetRequest(#[\SensitiveParameter] string $fullToken): void
     {
         $request = $this->findResetPasswordRequest($fullToken);
 
@@ -159,7 +159,7 @@ public function generateFakeResetToken(?int $resetRequestLifetime = null): Reset
         return new ResetPasswordToken('fake-token', $expiresAt, $generatedAt);
     }
 
-    private function findResetPasswordRequest(string $token): ?ResetPasswordRequestInterface
+    private function findResetPasswordRequest(#[\SensitiveParameter] string $token): ?ResetPasswordRequestInterface
     {
         $selector = substr($token, 0, self::SELECTOR_LENGTH);