diff --git a/src/AuthorizationServer.php b/src/AuthorizationServer.php index c894bbd6b..d86b5b6af 100644 --- a/src/AuthorizationServer.php +++ b/src/AuthorizationServer.php @@ -27,6 +27,7 @@ use League\OAuth2\Server\ResponseTypes\ResponseTypeInterface; use Psr\Http\Message\ResponseInterface; use Psr\Http\Message\ServerRequestInterface; +use SensitiveParameter; class AuthorizationServer implements EmitterAwareInterface { @@ -61,7 +62,9 @@ public function __construct( private ClientRepositoryInterface $clientRepository, private AccessTokenRepositoryInterface $accessTokenRepository, private ScopeRepositoryInterface $scopeRepository, + #[SensitiveParameter] CryptKeyInterface|string $privateKey, + #[SensitiveParameter] Key|string $encryptionKey, ResponseTypeInterface|null $responseType = null ) { diff --git a/src/CryptKey.php b/src/CryptKey.php index 135a2f7b9..1264c6374 100644 --- a/src/CryptKey.php +++ b/src/CryptKey.php @@ -16,6 +16,7 @@ use LogicException; use OpenSSLAsymmetricKey; +use SensitiveParameter; use function decoct; use function file_get_contents; @@ -40,8 +41,12 @@ class CryptKey implements CryptKeyInterface protected string $keyPath; - public function __construct(string $keyPath, protected ?string $passPhrase = null, bool $keyPermissionsCheck = true) - { + public function __construct( + string $keyPath, + #[SensitiveParameter] + protected ?string $passPhrase = null, + bool $keyPermissionsCheck = true + ) { if (str_starts_with($keyPath, self::FILE_PREFIX) === false && $this->isValidKey($keyPath, $this->passPhrase ?? '')) { $this->keyContents = $keyPath; $this->keyPath = ''; @@ -99,8 +104,12 @@ public function getKeyContents(): string /** * Validate key contents. */ - private function isValidKey(string $contents, string $passPhrase): bool - { + private function isValidKey( + #[SensitiveParameter] + string $contents, + #[SensitiveParameter] + string $passPhrase + ): bool { $privateKey = openssl_pkey_get_private($contents, $passPhrase); $key = $privateKey instanceof OpenSSLAsymmetricKey ? $privateKey : openssl_pkey_get_public($contents); diff --git a/src/CryptTrait.php b/src/CryptTrait.php index ee481b55c..182f4674a 100644 --- a/src/CryptTrait.php +++ b/src/CryptTrait.php @@ -21,6 +21,7 @@ use Exception; use InvalidArgumentException; use LogicException; +use SensitiveParameter; use function is_string; @@ -83,8 +84,10 @@ protected function decrypt(string $encryptedData): string } } - public function setEncryptionKey(Key|string|null $key = null): void - { + public function setEncryptionKey( + #[SensitiveParameter] + Key|string|null $key = null + ): void { $this->encryptionKey = $key; } } diff --git a/src/Entities/AccessTokenEntityInterface.php b/src/Entities/AccessTokenEntityInterface.php index 3c998b4d2..571a1222c 100644 --- a/src/Entities/AccessTokenEntityInterface.php +++ b/src/Entities/AccessTokenEntityInterface.php @@ -19,7 +19,9 @@ interface AccessTokenEntityInterface extends TokenInterface /** * Set a private key used to encrypt the access token. */ - public function setPrivateKey(CryptKeyInterface $privateKey): void; + public function setPrivateKey( + CryptKeyInterface $privateKey + ): void; /** * Generate a string representation of the access token. diff --git a/src/Entities/Traits/AccessTokenTrait.php b/src/Entities/Traits/AccessTokenTrait.php index 6b1387b5f..b55bc1f52 100644 --- a/src/Entities/Traits/AccessTokenTrait.php +++ b/src/Entities/Traits/AccessTokenTrait.php @@ -21,6 +21,7 @@ use League\OAuth2\Server\Entities\ClientEntityInterface; use League\OAuth2\Server\Entities\ScopeEntityInterface; use RuntimeException; +use SensitiveParameter; trait AccessTokenTrait { @@ -31,8 +32,10 @@ trait AccessTokenTrait /** * Set the private key used to encrypt this access token. */ - public function setPrivateKey(CryptKeyInterface $privateKey): void - { + public function setPrivateKey( + #[SensitiveParameter] + CryptKeyInterface $privateKey + ): void { $this->privateKey = $privateKey; } diff --git a/src/Repositories/AccessTokenRepositoryInterface.php b/src/Repositories/AccessTokenRepositoryInterface.php index 8bac8be64..14c331c0c 100644 --- a/src/Repositories/AccessTokenRepositoryInterface.php +++ b/src/Repositories/AccessTokenRepositoryInterface.php @@ -36,7 +36,9 @@ public function getNewToken( /** * @throws UniqueTokenIdentifierConstraintViolationException */ - public function persistNewAccessToken(AccessTokenEntityInterface $accessTokenEntity): void; + public function persistNewAccessToken( + AccessTokenEntityInterface $accessTokenEntity + ): void; public function revokeAccessToken(string $tokenId): void; diff --git a/src/Repositories/AuthCodeRepositoryInterface.php b/src/Repositories/AuthCodeRepositoryInterface.php index 89ff86b87..41627d7d0 100644 --- a/src/Repositories/AuthCodeRepositoryInterface.php +++ b/src/Repositories/AuthCodeRepositoryInterface.php @@ -25,7 +25,9 @@ public function getNewAuthCode(): AuthCodeEntityInterface; /** * @throws UniqueTokenIdentifierConstraintViolationException */ - public function persistNewAuthCode(AuthCodeEntityInterface $authCodeEntity): void; + public function persistNewAuthCode( + AuthCodeEntityInterface $authCodeEntity + ): void; public function revokeAuthCode(string $codeId): void; diff --git a/src/Repositories/ClientRepositoryInterface.php b/src/Repositories/ClientRepositoryInterface.php index 63134ca9d..67d039ac1 100644 --- a/src/Repositories/ClientRepositoryInterface.php +++ b/src/Repositories/ClientRepositoryInterface.php @@ -27,5 +27,9 @@ public function getClientEntity(string $clientIdentifier): ?ClientEntityInterfac /** * Validate a client's secret. */ - public function validateClient(string $clientIdentifier, ?string $clientSecret, ?string $grantType): bool; + public function validateClient( + string $clientIdentifier, + ?string $clientSecret, + ?string $grantType + ): bool; } diff --git a/src/Repositories/RefreshTokenRepositoryInterface.php b/src/Repositories/RefreshTokenRepositoryInterface.php index a25e50133..6f329eb3e 100644 --- a/src/Repositories/RefreshTokenRepositoryInterface.php +++ b/src/Repositories/RefreshTokenRepositoryInterface.php @@ -25,7 +25,9 @@ public function getNewRefreshToken(): ?RefreshTokenEntityInterface; /** * @throws UniqueTokenIdentifierConstraintViolationException */ - public function persistNewRefreshToken(RefreshTokenEntityInterface $refreshTokenEntity): void; + public function persistNewRefreshToken( + RefreshTokenEntityInterface $refreshTokenEntity + ): void; public function revokeRefreshToken(string $tokenId): void; diff --git a/src/RequestAccessTokenEvent.php b/src/RequestAccessTokenEvent.php index 1200c44c5..139ad50ab 100644 --- a/src/RequestAccessTokenEvent.php +++ b/src/RequestAccessTokenEvent.php @@ -14,11 +14,16 @@ use League\OAuth2\Server\Entities\AccessTokenEntityInterface; use Psr\Http\Message\ServerRequestInterface; +use SensitiveParameter; class RequestAccessTokenEvent extends RequestEvent { - public function __construct(string $name, ServerRequestInterface $request, private AccessTokenEntityInterface $accessToken) - { + public function __construct( + string $name, + ServerRequestInterface $request, + #[SensitiveParameter] + private AccessTokenEntityInterface $accessToken + ) { parent::__construct($name, $request); } diff --git a/src/RequestRefreshTokenEvent.php b/src/RequestRefreshTokenEvent.php index f2ac556cd..ed978394a 100644 --- a/src/RequestRefreshTokenEvent.php +++ b/src/RequestRefreshTokenEvent.php @@ -14,11 +14,16 @@ use League\OAuth2\Server\Entities\RefreshTokenEntityInterface; use Psr\Http\Message\ServerRequestInterface; +use SensitiveParameter; class RequestRefreshTokenEvent extends RequestEvent { - public function __construct(string $name, ServerRequestInterface $request, private RefreshTokenEntityInterface $refreshToken) - { + public function __construct( + string $name, + ServerRequestInterface $request, + #[SensitiveParameter] + private RefreshTokenEntityInterface $refreshToken + ) { parent::__construct($name, $request); } diff --git a/src/ResponseTypes/AbstractResponseType.php b/src/ResponseTypes/AbstractResponseType.php index 2af00e224..af2b81cf5 100644 --- a/src/ResponseTypes/AbstractResponseType.php +++ b/src/ResponseTypes/AbstractResponseType.php @@ -18,6 +18,7 @@ use League\OAuth2\Server\CryptTrait; use League\OAuth2\Server\Entities\AccessTokenEntityInterface; use League\OAuth2\Server\Entities\RefreshTokenEntityInterface; +use SensitiveParameter; abstract class AbstractResponseType implements ResponseTypeInterface { @@ -29,18 +30,24 @@ abstract class AbstractResponseType implements ResponseTypeInterface protected CryptKeyInterface $privateKey; - public function setAccessToken(AccessTokenEntityInterface $accessToken): void - { + public function setAccessToken( + #[SensitiveParameter] + AccessTokenEntityInterface $accessToken + ): void { $this->accessToken = $accessToken; } - public function setRefreshToken(RefreshTokenEntityInterface $refreshToken): void - { + public function setRefreshToken( + #[SensitiveParameter] + RefreshTokenEntityInterface $refreshToken + ): void { $this->refreshToken = $refreshToken; } - public function setPrivateKey(CryptKeyInterface $key): void - { + public function setPrivateKey( + #[SensitiveParameter] + CryptKeyInterface $key + ): void { $this->privateKey = $key; } } diff --git a/src/ResponseTypes/BearerTokenResponse.php b/src/ResponseTypes/BearerTokenResponse.php index dd49b99ba..818d52c16 100644 --- a/src/ResponseTypes/BearerTokenResponse.php +++ b/src/ResponseTypes/BearerTokenResponse.php @@ -17,6 +17,7 @@ use League\OAuth2\Server\Entities\AccessTokenEntityInterface; use LogicException; use Psr\Http\Message\ResponseInterface; +use SensitiveParameter; use function array_merge; use function json_encode; @@ -75,8 +76,10 @@ public function generateHttpResponse(ResponseInterface $response): ResponseInter * * @return array */ - protected function getExtraParams(AccessTokenEntityInterface $accessToken): array - { + protected function getExtraParams( + #[SensitiveParameter] + AccessTokenEntityInterface $accessToken + ): array { return []; } } diff --git a/src/ResponseTypes/ResponseTypeInterface.php b/src/ResponseTypes/ResponseTypeInterface.php index 8e70ae9f8..2684e01aa 100644 --- a/src/ResponseTypes/ResponseTypeInterface.php +++ b/src/ResponseTypes/ResponseTypeInterface.php @@ -21,11 +21,17 @@ interface ResponseTypeInterface { - public function setAccessToken(AccessTokenEntityInterface $accessToken): void; + public function setAccessToken( + AccessTokenEntityInterface $accessToken + ): void; - public function setRefreshToken(RefreshTokenEntityInterface $refreshToken): void; + public function setRefreshToken( + RefreshTokenEntityInterface $refreshToken + ): void; public function generateHttpResponse(ResponseInterface $response): ResponseInterface; - public function setEncryptionKey(Key|string|null $key = null): void; + public function setEncryptionKey( + Key|string|null $key = null + ): void; }