Add SensitiveParameter attribute

src/AuthorizationServer.php

@@ -27,6 +27,7 @@
 use League\OAuth2\Server\ResponseTypes\ResponseTypeInterface;
 use Psr\Http\Message\ResponseInterface;
 use Psr\Http\Message\ServerRequestInterface;
+use SensitiveParameter;
 
 class AuthorizationServer implements EmitterAwareInterface
 {
@@ -61,7 +62,9 @@ public function __construct(
         private ClientRepositoryInterface $clientRepository,
         private AccessTokenRepositoryInterface $accessTokenRepository,
         private ScopeRepositoryInterface $scopeRepository,
+        #[SensitiveParameter]
         CryptKeyInterface|string $privateKey,
+        #[SensitiveParameter]
         Key|string $encryptionKey,
         ResponseTypeInterface|null $responseType = null
     ) {

src/CryptKey.php

@@ -16,6 +16,7 @@
 
 use LogicException;
 use OpenSSLAsymmetricKey;
+use SensitiveParameter;
 
 use function decoct;
 use function file_get_contents;
@@ -40,8 +41,12 @@ class CryptKey implements CryptKeyInterface
 
     protected string $keyPath;
 
-    public function __construct(string $keyPath, protected ?string $passPhrase = null, bool $keyPermissionsCheck = true)
-    {
+    public function __construct(
+        string $keyPath,
+        #[SensitiveParameter]
+        protected ?string $passPhrase = null,
+        bool $keyPermissionsCheck = true
+    ) {
         if (str_starts_with($keyPath, self::FILE_PREFIX) === false && $this->isValidKey($keyPath, $this->passPhrase ?? '')) {
             $this->keyContents = $keyPath;
             $this->keyPath = '';
@@ -99,8 +104,12 @@ public function getKeyContents(): string
     /**
      * Validate key contents.
      */
-    private function isValidKey(string $contents, string $passPhrase): bool
-    {
+    private function isValidKey(
+        #[SensitiveParameter]
+        string $contents,
+        #[SensitiveParameter]
+        string $passPhrase
+    ): bool {
         $privateKey = openssl_pkey_get_private($contents, $passPhrase);
 
         $key = $privateKey instanceof OpenSSLAsymmetricKey ? $privateKey : openssl_pkey_get_public($contents);

src/CryptTrait.php

@@ -21,6 +21,7 @@
 use Exception;
 use InvalidArgumentException;
 use LogicException;
+use SensitiveParameter;
 
 use function is_string;
 
@@ -83,8 +84,10 @@ protected function decrypt(string $encryptedData): string
         }
     }
 
-    public function setEncryptionKey(Key|string|null $key = null): void
-    {
+    public function setEncryptionKey(
+        #[SensitiveParameter]
+        Key|string|null $key = null
+    ): void {
         $this->encryptionKey = $key;
     }
 }

src/Entities/AccessTokenEntityInterface.php

@@ -13,13 +13,17 @@
 namespace League\OAuth2\Server\Entities;
 
 use League\OAuth2\Server\CryptKeyInterface;
+use SensitiveParameter;
 
 interface AccessTokenEntityInterface extends TokenInterface
 {
     /**
      * Set a private key used to encrypt the access token.
      */
-    public function setPrivateKey(CryptKeyInterface $privateKey): void;
+    public function setPrivateKey(
+        #[SensitiveParameter]
+        CryptKeyInterface $privateKey
+    ): void;
 
     /**
      * Generate a string representation of the access token.

src/Entities/Traits/AccessTokenTrait.php

@@ -21,6 +21,7 @@
 use League\OAuth2\Server\Entities\ClientEntityInterface;
 use League\OAuth2\Server\Entities\ScopeEntityInterface;
 use RuntimeException;
+use SensitiveParameter;
 
 trait AccessTokenTrait
 {
@@ -31,8 +32,10 @@ trait AccessTokenTrait
     /**
      * Set the private key used to encrypt this access token.
      */
-    public function setPrivateKey(CryptKeyInterface $privateKey): void
-    {
+    public function setPrivateKey(
+        #[SensitiveParameter]
+        CryptKeyInterface $privateKey
+    ): void {
         $this->privateKey = $privateKey;
     }
 

src/Repositories/AccessTokenRepositoryInterface.php

@@ -16,6 +16,7 @@
 use League\OAuth2\Server\Entities\ClientEntityInterface;
 use League\OAuth2\Server\Entities\ScopeEntityInterface;
 use League\OAuth2\Server\Exception\UniqueTokenIdentifierConstraintViolationException;
+use SensitiveParameter;
 
 /**
  * Access token interface.
@@ -36,7 +37,10 @@ public function getNewToken(
     /**
      * @throws UniqueTokenIdentifierConstraintViolationException
      */
-    public function persistNewAccessToken(AccessTokenEntityInterface $accessTokenEntity): void;
+    public function persistNewAccessToken(
+        #[SensitiveParameter]
+        AccessTokenEntityInterface $accessTokenEntity
+    ): void;
 
     public function revokeAccessToken(string $tokenId): void;
 

src/Repositories/AuthCodeRepositoryInterface.php

@@ -14,6 +14,7 @@
 
 use League\OAuth2\Server\Entities\AuthCodeEntityInterface;
 use League\OAuth2\Server\Exception\UniqueTokenIdentifierConstraintViolationException;
+use SensitiveParameter;
 
 /**
  * Auth code storage interface.
@@ -25,7 +26,10 @@ public function getNewAuthCode(): AuthCodeEntityInterface;
     /**
      * @throws UniqueTokenIdentifierConstraintViolationException
      */
-    public function persistNewAuthCode(AuthCodeEntityInterface $authCodeEntity): void;
+    public function persistNewAuthCode(
+        #[SensitiveParameter]
+        AuthCodeEntityInterface $authCodeEntity
+    ): void;
 
     public function revokeAuthCode(string $codeId): void;
 

src/Repositories/ClientRepositoryInterface.php

@@ -13,6 +13,7 @@
 namespace League\OAuth2\Server\Repositories;
 
 use League\OAuth2\Server\Entities\ClientEntityInterface;
+use SensitiveParameter;
 
 /**
  * Client storage interface.
@@ -27,5 +28,10 @@ public function getClientEntity(string $clientIdentifier): ?ClientEntityInterfac
     /**
      * Validate a client's secret.
      */
-    public function validateClient(string $clientIdentifier, ?string $clientSecret, ?string $grantType): bool;
+    public function validateClient(
+        string $clientIdentifier,
+        #[SensitiveParameter]
+        ?string $clientSecret,
+        ?string $grantType
+    ): bool;
 }

src/Repositories/RefreshTokenRepositoryInterface.php

@@ -14,6 +14,7 @@
 
 use League\OAuth2\Server\Entities\RefreshTokenEntityInterface;
 use League\OAuth2\Server\Exception\UniqueTokenIdentifierConstraintViolationException;
+use SensitiveParameter;
 
 /**
  * Refresh token interface.
@@ -25,7 +26,10 @@ public function getNewRefreshToken(): ?RefreshTokenEntityInterface;
     /**
      * @throws UniqueTokenIdentifierConstraintViolationException
      */
-    public function persistNewRefreshToken(RefreshTokenEntityInterface $refreshTokenEntity): void;
+    public function persistNewRefreshToken(
+        #[SensitiveParameter]
+        RefreshTokenEntityInterface $refreshTokenEntity
+    ): void;
 
     public function revokeRefreshToken(string $tokenId): void;
 

src/Repositories/UserRepositoryInterface.php

@@ -14,6 +14,7 @@
 
 use League\OAuth2\Server\Entities\ClientEntityInterface;
 use League\OAuth2\Server\Entities\UserEntityInterface;
+use SensitiveParameter;
 
 interface UserRepositoryInterface extends RepositoryInterface
 {
@@ -22,6 +23,7 @@ interface UserRepositoryInterface extends RepositoryInterface
      */
     public function getUserEntityByUserCredentials(
         string $username,
+        #[SensitiveParameter]
         string $password,
         string $grantType,
         ClientEntityInterface $clientEntity

src/RequestAccessTokenEvent.php

@@ -14,11 +14,16 @@
 
 use League\OAuth2\Server\Entities\AccessTokenEntityInterface;
 use Psr\Http\Message\ServerRequestInterface;
+use SensitiveParameter;
 
 class RequestAccessTokenEvent extends RequestEvent
 {
-    public function __construct(string $name, ServerRequestInterface $request, private AccessTokenEntityInterface $accessToken)
-    {
+    public function __construct(
+        string $name,
+        ServerRequestInterface $request,
+        #[SensitiveParameter]
+        private AccessTokenEntityInterface $accessToken
+    ) {
         parent::__construct($name, $request);
     }
 

src/RequestRefreshTokenEvent.php

@@ -14,11 +14,16 @@
 
 use League\OAuth2\Server\Entities\RefreshTokenEntityInterface;
 use Psr\Http\Message\ServerRequestInterface;
+use SensitiveParameter;
 
 class RequestRefreshTokenEvent extends RequestEvent
 {
-    public function __construct(string $name, ServerRequestInterface $request, private RefreshTokenEntityInterface $refreshToken)
-    {
+    public function __construct(
+        string $name,
+        ServerRequestInterface $request,
+        #[SensitiveParameter]
+        private RefreshTokenEntityInterface $refreshToken
+    ) {
         parent::__construct($name, $request);
     }
 

src/ResponseTypes/AbstractResponseType.php

@@ -18,6 +18,7 @@
 use League\OAuth2\Server\CryptTrait;
 use League\OAuth2\Server\Entities\AccessTokenEntityInterface;
 use League\OAuth2\Server\Entities\RefreshTokenEntityInterface;
+use SensitiveParameter;
 
 abstract class AbstractResponseType implements ResponseTypeInterface
 {
@@ -29,18 +30,24 @@ abstract class AbstractResponseType implements ResponseTypeInterface
 
     protected CryptKeyInterface $privateKey;
 
-    public function setAccessToken(AccessTokenEntityInterface $accessToken): void
-    {
+    public function setAccessToken(
+        #[SensitiveParameter]
+        AccessTokenEntityInterface $accessToken
+    ): void {
         $this->accessToken = $accessToken;
     }
 
-    public function setRefreshToken(RefreshTokenEntityInterface $refreshToken): void
-    {
+    public function setRefreshToken(
+        #[SensitiveParameter]
+        RefreshTokenEntityInterface $refreshToken
+    ): void {
         $this->refreshToken = $refreshToken;
     }
 
-    public function setPrivateKey(CryptKeyInterface $key): void
-    {
+    public function setPrivateKey(
+        #[SensitiveParameter]
+        CryptKeyInterface $key
+    ): void {
         $this->privateKey = $key;
     }
 }

src/ResponseTypes/BearerTokenResponse.php

@@ -17,6 +17,7 @@
 use League\OAuth2\Server\Entities\AccessTokenEntityInterface;
 use LogicException;
 use Psr\Http\Message\ResponseInterface;
+use SensitiveParameter;
 
 use function array_merge;
 use function json_encode;
@@ -75,8 +76,10 @@ public function generateHttpResponse(ResponseInterface $response): ResponseInter
      *
      * @return array<array-key,mixed>
      */
-    protected function getExtraParams(AccessTokenEntityInterface $accessToken): array
-    {
+    protected function getExtraParams(
+        #[SensitiveParameter]
+        AccessTokenEntityInterface $accessToken
+    ): array {
         return [];
     }
 }

src/ResponseTypes/ResponseTypeInterface.php

@@ -18,14 +18,24 @@
 use League\OAuth2\Server\Entities\AccessTokenEntityInterface;
 use League\OAuth2\Server\Entities\RefreshTokenEntityInterface;
 use Psr\Http\Message\ResponseInterface;
+use SensitiveParameter;
 
 interface ResponseTypeInterface
 {
-    public function setAccessToken(AccessTokenEntityInterface $accessToken): void;
+    public function setAccessToken(
+        #[SensitiveParameter]
+        AccessTokenEntityInterface $accessToken
+    ): void;
 
-    public function setRefreshToken(RefreshTokenEntityInterface $refreshToken): void;
+    public function setRefreshToken(
+        #[SensitiveParameter]
+        RefreshTokenEntityInterface $refreshToken
+    ): void;
 
     public function generateHttpResponse(ResponseInterface $response): ResponseInterface;
 
-    public function setEncryptionKey(Key|string|null $key = null): void;
+    public function setEncryptionKey(
+        #[SensitiveParameter]
+        Key|string|null $key = null
+    ): void;
 }