Fix #92: Use SensitiveParameter attribute to mark sensitive parameters

ev-gor · vjik · web-flow · commit dc0da9b7648c · 2024-08-31T14:48:29.000+03:00
Co-authored-by: Sergei Predvoditelev &lt;sergei@predvoditelev.ru&gt;
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -2,7 +2,7 @@
 
 ## 3.1.2 under development
 
-- no changes in this release.
+- Enh #92: Use `SensitiveParameter` attribute to mark sensitive parameters (@ev-gor)
 
 ## 3.1.1 May 06, 2024
 
diff --git a/README.md b/README.md
@@ -64,7 +64,7 @@ $authenticationMethod = (new \Yiisoft\Auth\Method\HttpBasic($identityRepository)
     ->withRealm('Admin')
     ->withAuthenticationCallback(static function (
         ?string $username,
-        ?string $password,
+        #[\SensitiveParameter] ?string $password,
         \Yiisoft\Auth\IdentityWithTokenRepositoryInterface $identityRepository
     ): ?\Yiisoft\Auth\IdentityInterface {
         return $identityRepository->findIdentityByToken($username, \Yiisoft\Auth\Method\HttpBasic::class);
diff --git a/src/Method/HttpBasic.php b/src/Method/HttpBasic.php
@@ -67,8 +67,8 @@ public function challenge(ResponseInterface $response): ResponseInterface
      *
      * ```php
      * static function (
-     *     string $username,
-     *     string $password,
+     *     ?string $username,
+     *     #[\SensitiveParameter] ?string $password,
      *     \Yiisoft\Auth\IdentityRepositoryInterface $identityRepository
      * ): ?\Yiisoft\Auth\IdentityInterface
      * ```
@@ -159,15 +159,15 @@ private function getTokenFromHeaders(ServerRequestInterface $request): ?string
         return $request->getServerParams()['REDIRECT_HTTP_AUTHORIZATION'] ?? null;
     }
 
-    private function extractCredentialsFromHeader(string $authToken): array
+    private function extractCredentialsFromHeader(#[\SensitiveParameter] string $authToken): array
     {
         return array_map(
             static fn ($value) => $value === '' ? null : $value,
             explode(':', base64_decode(substr($authToken, 6)), 2)
         );
     }
 
-    private function isBasicToken(string $token): bool
+    private function isBasicToken(#[\SensitiveParameter] string $token): bool
     {
         return strncasecmp($token, 'basic', 5) === 0;
     }

Original file line number	Diff line number	Diff line change
`@@ -67,8 +67,8 @@ public function challenge(ResponseInterface $response): ResponseInterface`
`67`	`67`	`*`
`68`	`68`	* ```php
`69`	`69`	`* static function (`
`70`		`- * string $username,`
`71`		`- * string $password,`
	`70`	`+ * ?string $username,`
	`71`	`+ * #[\SensitiveParameter] ?string $password,`
`72`	`72`	`* \Yiisoft\Auth\IdentityRepositoryInterface $identityRepository`
`73`	`73`	`* ): ?\Yiisoft\Auth\IdentityInterface`
`74`	`74`	* ```
`@@ -159,15 +159,15 @@ private function getTokenFromHeaders(ServerRequestInterface $request): ?string`
`159`	`159`	`return $request->getServerParams()['REDIRECT_HTTP_AUTHORIZATION'] ?? null;`
`160`	`160`	`}`
`161`	`161`
`162`		`- private function extractCredentialsFromHeader(string $authToken): array`
	`162`	`+ private function extractCredentialsFromHeader(#[\SensitiveParameter] string $authToken): array`
`163`	`163`	`{`
`164`	`164`	`return array_map(`
`165`	`165`	`static fn ($value) => $value === '' ? null : $value,`
`166`	`166`	`explode(':', base64_decode(substr($authToken, 6)), 2)`
`167`	`167`	`);`
`168`	`168`	`}`
`169`	`169`
`170`		`- private function isBasicToken(string $token): bool`
	`170`	`+ private function isBasicToken(#[\SensitiveParameter] string $token): bool`
`171`	`171`	`{`
`172`	`172`	`return strncasecmp($token, 'basic', 5) === 0;`
`173`	`173`	`}`