Hide sensitive information with SensitiveParameter attribute

GromNaN · fabpot · commit 21661fbcdb1c · 2022-07-11T08:49:17.000+02:00
diff --git a/Authentication/RememberMe/CacheTokenVerifier.php b/Authentication/RememberMe/CacheTokenVerifier.php
@@ -38,7 +38,7 @@ public function __construct(CacheItemPoolInterface $cache, int $outdatedTokenTtl
     /**
      * {@inheritdoc}
      */
-    public function verifyToken(PersistentTokenInterface $token, string $tokenValue): bool
+    public function verifyToken(PersistentTokenInterface $token, #[\SensitiveParameter] string $tokenValue): bool
     {
         if (hash_equals($token->getTokenValue(), $tokenValue)) {
             return true;
@@ -58,7 +58,7 @@ public function verifyToken(PersistentTokenInterface $token, string $tokenValue)
     /**
      * {@inheritdoc}
      */
-    public function updateExistingToken(PersistentTokenInterface $token, string $tokenValue, \DateTimeInterface $lastUsed): void
+    public function updateExistingToken(PersistentTokenInterface $token, #[\SensitiveParameter] string $tokenValue, \DateTimeInterface $lastUsed): void
     {
         // When a token gets updated, persist the outdated token for $outdatedTokenTtl seconds so we can
         // still accept it as valid in verifyToken
diff --git a/Authentication/RememberMe/InMemoryTokenProvider.php b/Authentication/RememberMe/InMemoryTokenProvider.php
@@ -37,7 +37,7 @@ public function loadTokenBySeries(string $series): PersistentTokenInterface
     /**
      * {@inheritdoc}
      */
-    public function updateToken(string $series, string $tokenValue, \DateTime $lastUsed)
+    public function updateToken(string $series, #[\SensitiveParameter] string $tokenValue, \DateTime $lastUsed)
     {
         if (!isset($this->tokens[$series])) {
             throw new TokenNotFoundException('No token found.');
diff --git a/Authentication/RememberMe/PersistentToken.php b/Authentication/RememberMe/PersistentToken.php
@@ -24,7 +24,7 @@ final class PersistentToken implements PersistentTokenInterface
     private string $tokenValue;
     private \DateTime $lastUsed;
 
-    public function __construct(string $class, string $userIdentifier, string $series, string $tokenValue, \DateTime $lastUsed)
+    public function __construct(string $class, string $userIdentifier, string $series, #[\SensitiveParameter] string $tokenValue, \DateTime $lastUsed)
     {
         if (empty($class)) {
             throw new \InvalidArgumentException('$class must not be empty.');
diff --git a/Authentication/RememberMe/TokenProviderInterface.php b/Authentication/RememberMe/TokenProviderInterface.php
@@ -39,7 +39,7 @@ public function deleteTokenBySeries(string $series);
      *
      * @throws TokenNotFoundException if the token is not found
      */
-    public function updateToken(string $series, string $tokenValue, \DateTime $lastUsed);
+    public function updateToken(string $series, #[\SensitiveParameter] string $tokenValue, \DateTime $lastUsed);
 
     /**
      * Creates a new token.
diff --git a/Authentication/RememberMe/TokenVerifierInterface.php b/Authentication/RememberMe/TokenVerifierInterface.php
@@ -23,10 +23,10 @@ interface TokenVerifierInterface
      *
      * Do not forget to implement token comparisons using hash_equals for a secure implementation.
      */
-    public function verifyToken(PersistentTokenInterface $token, string $tokenValue): bool;
+    public function verifyToken(PersistentTokenInterface $token, #[\SensitiveParameter] string $tokenValue): bool;
 
     /**
      * Updates an existing token with a new token value and lastUsed time.
      */
-    public function updateExistingToken(PersistentTokenInterface $token, string $tokenValue, \DateTimeInterface $lastUsed): void;
+    public function updateExistingToken(PersistentTokenInterface $token, #[\SensitiveParameter] string $tokenValue, \DateTimeInterface $lastUsed): void;
 }
diff --git a/Authentication/Token/RememberMeToken.php b/Authentication/Token/RememberMeToken.php
@@ -28,7 +28,7 @@ class RememberMeToken extends AbstractToken
      *
      * @throws \InvalidArgumentException
      */
-    public function __construct(UserInterface $user, string $firewallName, string $secret)
+    public function __construct(UserInterface $user, string $firewallName, #[\SensitiveParameter] string $secret)
     {
         parent::__construct($user->getRoles());
 
diff --git a/Signature/SignatureHasher.php b/Signature/SignatureHasher.php
@@ -35,7 +35,7 @@ class SignatureHasher
      * @param ExpiredSignatureStorage|null $expiredSignaturesStorage if provided, secures a sequence of hashes that are expired
      * @param int|null                     $maxUses                  used together with $expiredSignatureStorage to allow a maximum usage of a hash
      */
-    public function __construct(PropertyAccessorInterface $propertyAccessor, array $signatureProperties, string $secret, ExpiredSignatureStorage $expiredSignaturesStorage = null, int $maxUses = null)
+    public function __construct(PropertyAccessorInterface $propertyAccessor, array $signatureProperties, #[\SensitiveParameter] string $secret, ExpiredSignatureStorage $expiredSignaturesStorage = null, int $maxUses = null)
     {
         $this->propertyAccessor = $propertyAccessor;
         $this->signatureProperties = $signatureProperties;

Original file line number	Diff line number	Diff line change
`@@ -37,7 +37,7 @@ public function loadTokenBySeries(string $series): PersistentTokenInterface`
`37`	`37`	`/**`
`38`	`38`	`* {@inheritdoc}`
`39`	`39`	`*/`
`40`		`- public function updateToken(string $series, string $tokenValue, \DateTime $lastUsed)`
	`40`	`+ public function updateToken(string $series, #[\SensitiveParameter] string $tokenValue, \DateTime $lastUsed)`
`41`	`41`	`{`
`42`	`42`	`if (!isset($this->tokens[$series])) {`
`43`	`43`	`throw new TokenNotFoundException('No token found.');`
Original file line number	Diff line number	Diff line change
`@@ -24,7 +24,7 @@ final class PersistentToken implements PersistentTokenInterface`
`24`	`24`	`private string $tokenValue;`
`25`	`25`	`private \DateTime $lastUsed;`
`26`	`26`
`27`		`- public function __construct(string $class, string $userIdentifier, string $series, string $tokenValue, \DateTime $lastUsed)`
	`27`	`+ public function __construct(string $class, string $userIdentifier, string $series, #[\SensitiveParameter] string $tokenValue, \DateTime $lastUsed)`
`28`	`28`	`{`
`29`	`29`	`if (empty($class)) {`
`30`	`30`	`throw new \InvalidArgumentException('$class must not be empty.');`
Original file line number	Diff line number	Diff line change
`@@ -39,7 +39,7 @@ public function deleteTokenBySeries(string $series);`
`39`	`39`	`*`
`40`	`40`	`* @throws TokenNotFoundException if the token is not found`
`41`	`41`	`*/`
`42`		`- public function updateToken(string $series, string $tokenValue, \DateTime $lastUsed);`
	`42`	`+ public function updateToken(string $series, #[\SensitiveParameter] string $tokenValue, \DateTime $lastUsed);`
`43`	`43`
`44`	`44`	`/**`
`45`	`45`	`* Creates a new token.`
Original file line number	Diff line number	Diff line change
`@@ -23,10 +23,10 @@ interface TokenVerifierInterface`
`23`	`23`	`*`
`24`	`24`	`* Do not forget to implement token comparisons using hash_equals for a secure implementation.`
`25`	`25`	`*/`
`26`		`- public function verifyToken(PersistentTokenInterface $token, string $tokenValue): bool;`
	`26`	`+ public function verifyToken(PersistentTokenInterface $token, #[\SensitiveParameter] string $tokenValue): bool;`
`27`	`27`
`28`	`28`	`/**`
`29`	`29`	`* Updates an existing token with a new token value and lastUsed time.`
`30`	`30`	`*/`
`31`		`- public function updateExistingToken(PersistentTokenInterface $token, string $tokenValue, \DateTimeInterface $lastUsed): void;`
	`31`	`+ public function updateExistingToken(PersistentTokenInterface $token, #[\SensitiveParameter] string $tokenValue, \DateTimeInterface $lastUsed): void;`
`32`	`32`	`}`
Original file line number	Diff line number	Diff line change
`@@ -28,7 +28,7 @@ class RememberMeToken extends AbstractToken`
`28`	`28`	`*`
`29`	`29`	`* @throws \InvalidArgumentException`
`30`	`30`	`*/`
`31`		`- public function __construct(UserInterface $user, string $firewallName, string $secret)`
	`31`	`+ public function __construct(UserInterface $user, string $firewallName, #[\SensitiveParameter] string $secret)`
`32`	`32`	`{`
`33`	`33`	`parent::__construct($user->getRoles());`
`34`	`34`
Original file line number	Diff line number	Diff line change
`@@ -35,7 +35,7 @@ class SignatureHasher`
`35`	`35`	`* @param ExpiredSignatureStorage\|null $expiredSignaturesStorage if provided, secures a sequence of hashes that are expired`
`36`	`36`	`* @param int\|null $maxUses used together with $expiredSignatureStorage to allow a maximum usage of a hash`
`37`	`37`	`*/`
`38`		`- public function __construct(PropertyAccessorInterface $propertyAccessor, array $signatureProperties, string $secret, ExpiredSignatureStorage $expiredSignaturesStorage = null, int $maxUses = null)`
	`38`	`+ public function __construct(PropertyAccessorInterface $propertyAccessor, array $signatureProperties, #[\SensitiveParameter] string $secret, ExpiredSignatureStorage $expiredSignaturesStorage = null, int $maxUses = null)`
`39`	`39`	`{`
`40`	`40`	`$this->propertyAccessor = $propertyAccessor;`
`41`	`41`	`$this->signatureProperties = $signatureProperties;`