feat: add SensitiveParameter attribute

Avoid private key shown in stack trace.
https://www.php.net/manual/en/class.sensitiveparameter.php

Author: Rotzbua

composer.json

@@ -34,8 +34,9 @@
     "ext-mbstring": "*",
     "ext-openssl": "*",
     "guzzlehttp/guzzle": "^7.4.5",
-    "web-token/jwt-library": "^3.3.0|^4.0.0",
-    "spomky-labs/base64url": "^2.0.4"
+    "spomky-labs/base64url": "^2.0.4",
+    "symfony/polyfill-php82": "^v1.31.0",
+    "web-token/jwt-library": "^3.3.0|^4.0.0"
   },
   "suggest": {
     "ext-bcmath": "Optional for performance.",

src/Encryption.php

@@ -47,10 +47,16 @@ public static function padPayload(string $payload, int $maxLengthToPad, string $
      * @param string $userPublicKey Base 64 encoded (MIME or URL-safe)
      * @param string $userAuthToken Base 64 encoded (MIME or URL-safe)
      *
-     * @throws \ErrorException
+     * @throws \ErrorException Thrown on php 8.1
+     * @throws \Random\RandomException Thrown on php 8.2 and higher
      */
-    public static function encrypt(string $payload, string $userPublicKey, string $userAuthToken, string $contentEncoding): array
-    {
+    public static function encrypt(
+        string $payload,
+        string $userPublicKey,
+        #[\SensitiveParameter]
+        string $userAuthToken,
+        string $contentEncoding,
+    ): array {
         return self::deterministicEncrypt(
             $payload,
             $userPublicKey,
@@ -64,8 +70,15 @@ public static function encrypt(string $payload, string $userPublicKey, string $u
     /**
      * @throws \RuntimeException
      */
-    public static function deterministicEncrypt(string $payload, string $userPublicKey, string $userAuthToken, string $contentEncoding, array $localKeyObject, string $salt): array
-    {
+    public static function deterministicEncrypt(
+        string $payload,
+        string $userPublicKey,
+        #[\SensitiveParameter]
+        string $userAuthToken,
+        string $contentEncoding,
+        array $localKeyObject,
+        string $salt
+    ): array {
         $userPublicKey = Base64Url::decode($userPublicKey);
         $userAuthToken = Base64Url::decode($userAuthToken);
 

src/VAPID.php

@@ -97,8 +97,15 @@ public static function validate(array $vapid): array
      * @return array Returns an array with the 'Authorization' and 'Crypto-Key' values to be used as headers
      * @throws \ErrorException
      */
-    public static function getVapidHeaders(string $audience, string $subject, string $publicKey, string $privateKey, string $contentEncoding, ?int $expiration = null): array
-    {
+    public static function getVapidHeaders(
+        string $audience,
+        string $subject,
+        string $publicKey,
+        #[\SensitiveParameter]
+        string $privateKey,
+        string $contentEncoding,
+        ?int $expiration = null,
+    ): array {
         $expirationLimit = time() + 43200; // equal margin of error between 0 and 24h
         if (null === $expiration || $expiration > $expirationLimit) {
             $expiration = $expirationLimit;

src/WebPush.php

@@ -235,8 +235,8 @@ protected function createRejectedReport($reason): MessageSentReport
     }
 
     /**
-     * @throws \ErrorException
-     * add back @throws \Random\RandomException when we drop PHP 8.1 support
+     * @throws \ErrorException Thrown on php 8.1
+     * @throws \Random\RandomException Thrown on php 8.2 and higher
      */
     protected function prepare(array $notifications): array
     {