Merge pull request #1483 from coffeemakr/master

Add SensitiveParameter attribute

Author: Sephster

CHANGELOG.md

@@ -5,6 +5,9 @@ The format is based on [Keep a Changelog](http://keepachangelog.com/en/1.0.0/)
 and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.html).
 
 ## [Unreleased]
+### Added
+- Added sensitive parameter to avoid sensitive data being included in stack traces (PR #1483)
+
 ## [9.2.0] - released 2025-02-15
 ### Added
 - Added a new function to the provided ClientTrait, `supportsGrantType` to allow the auth server to issue the response `unauthorized_client` when applicable (PR #1420)

src/AuthorizationServer.php

@@ -27,6 +27,7 @@
 use League\OAuth2\Server\ResponseTypes\ResponseTypeInterface;
 use Psr\Http\Message\ResponseInterface;
 use Psr\Http\Message\ServerRequestInterface;
+use SensitiveParameter;
 
 class AuthorizationServer implements EmitterAwareInterface
 {
@@ -61,7 +62,9 @@ public function __construct(
  private ClientRepositoryInterface $clientRepository,
  private AccessTokenRepositoryInterface $accessTokenRepository,
  private ScopeRepositoryInterface $scopeRepository,
+ #[SensitiveParameter]
  CryptKeyInterface|string $privateKey,
+ #[SensitiveParameter]
  Key|string $encryptionKey,
  ResponseTypeInterface|null $responseType = null
  ) {

src/CryptKey.php

@@ -16,6 +16,7 @@
 
 use LogicException;
 use OpenSSLAsymmetricKey;
+use SensitiveParameter;
 
 use function decoct;
 use function file_get_contents;
@@ -40,8 +41,12 @@ class CryptKey implements CryptKeyInterface
 
  protected string $keyPath;
 
- public function __construct(string $keyPath, protected ?string $passPhrase = null, bool $keyPermissionsCheck = true)
- {
+ public function __construct(
+ string $keyPath,
+ #[SensitiveParameter]
+ protected ?string $passPhrase = null,
+ bool $keyPermissionsCheck = true
+ ) {
  if (str_starts_with($keyPath, self::FILE_PREFIX) === false && $this->isValidKey($keyPath, $this->passPhrase ?? '')) {
  $this->keyContents = $keyPath;
  $this->keyPath = '';
@@ -99,8 +104,12 @@ public function getKeyContents(): string
  /**
  * Validate key contents.
  */
- private function isValidKey(string $contents, string $passPhrase): bool
- {
+ private function isValidKey(
+ #[SensitiveParameter]
+ string $contents,
+ #[SensitiveParameter]
+ string $passPhrase
+ ): bool {
  $privateKey = openssl_pkey_get_private($contents, $passPhrase);
 
  $key = $privateKey instanceof OpenSSLAsymmetricKey ? $privateKey : openssl_pkey_get_public($contents);

src/CryptTrait.php

@@ -21,6 +21,7 @@
 use Exception;
 use InvalidArgumentException;
 use LogicException;
+use SensitiveParameter;
 
 use function is_string;
 
@@ -83,8 +84,10 @@ protected function decrypt(string $encryptedData): string
  }
  }
 
- public function setEncryptionKey(Key|string|null $key = null): void
- {
+ public function setEncryptionKey(
+ #[SensitiveParameter]
+ Key|string|null $key = null
+ ): void {
  $this->encryptionKey = $key;
  }
 }

src/Entities/Traits/AccessTokenTrait.php

@@ -21,6 +21,7 @@
 use League\OAuth2\Server\Entities\ClientEntityInterface;
 use League\OAuth2\Server\Entities\ScopeEntityInterface;
 use RuntimeException;
+use SensitiveParameter;
 
 trait AccessTokenTrait
 {
@@ -31,8 +32,10 @@ trait AccessTokenTrait
  /**
  * Set the private key used to encrypt this access token.
  */
- public function setPrivateKey(CryptKeyInterface $privateKey): void
- {
+ public function setPrivateKey(
+ #[SensitiveParameter]
+ CryptKeyInterface $privateKey
+ ): void {
  $this->privateKey = $privateKey;
  }
 

src/RequestAccessTokenEvent.php

@@ -14,11 +14,16 @@
 
 use League\OAuth2\Server\Entities\AccessTokenEntityInterface;
 use Psr\Http\Message\ServerRequestInterface;
+use SensitiveParameter;
 
 class RequestAccessTokenEvent extends RequestEvent
 {
- public function __construct(string $name, ServerRequestInterface $request, private AccessTokenEntityInterface $accessToken)
- {
+ public function __construct(
+ string $name,
+ ServerRequestInterface $request,
+ #[SensitiveParameter]
+ private AccessTokenEntityInterface $accessToken
+ ) {
  parent::__construct($name, $request);
  }
 

src/RequestRefreshTokenEvent.php

@@ -14,11 +14,16 @@
 
 use League\OAuth2\Server\Entities\RefreshTokenEntityInterface;
 use Psr\Http\Message\ServerRequestInterface;
+use SensitiveParameter;
 
 class RequestRefreshTokenEvent extends RequestEvent
 {
- public function __construct(string $name, ServerRequestInterface $request, private RefreshTokenEntityInterface $refreshToken)
- {
+ public function __construct(
+ string $name,
+ ServerRequestInterface $request,
+ #[SensitiveParameter]
+ private RefreshTokenEntityInterface $refreshToken
+ ) {
  parent::__construct($name, $request);
  }
 

src/ResponseTypes/AbstractResponseType.php

@@ -18,6 +18,7 @@
 use League\OAuth2\Server\CryptTrait;
 use League\OAuth2\Server\Entities\AccessTokenEntityInterface;
 use League\OAuth2\Server\Entities\RefreshTokenEntityInterface;
+use SensitiveParameter;
 
 abstract class AbstractResponseType implements ResponseTypeInterface
 {
@@ -29,18 +30,24 @@ abstract class AbstractResponseType implements ResponseTypeInterface
 
  protected CryptKeyInterface $privateKey;
 
- public function setAccessToken(AccessTokenEntityInterface $accessToken): void
- {
+ public function setAccessToken(
+ #[SensitiveParameter]
+ AccessTokenEntityInterface $accessToken
+ ): void {
  $this->accessToken = $accessToken;
  }
 
- public function setRefreshToken(RefreshTokenEntityInterface $refreshToken): void
- {
+ public function setRefreshToken(
+ #[SensitiveParameter]
+ RefreshTokenEntityInterface $refreshToken
+ ): void {
  $this->refreshToken = $refreshToken;
  }
 
- public function setPrivateKey(CryptKeyInterface $key): void
- {
+ public function setPrivateKey(
+ #[SensitiveParameter]
+ CryptKeyInterface $key
+ ): void {
  $this->privateKey = $key;
  }
 }

src/ResponseTypes/BearerTokenResponse.php

@@ -17,6 +17,7 @@
 use League\OAuth2\Server\Entities\AccessTokenEntityInterface;
 use LogicException;
 use Psr\Http\Message\ResponseInterface;
+use SensitiveParameter;
 
 use function array_merge;
 use function json_encode;
@@ -75,8 +76,10 @@ public function generateHttpResponse(ResponseInterface $response): ResponseInter
  *
  * @return array<array-key,mixed>
  */
- protected function getExtraParams(AccessTokenEntityInterface $accessToken): array
- {
+ protected function getExtraParams(
+ #[SensitiveParameter]
+ AccessTokenEntityInterface $accessToken
+ ): array {
  return [];
  }
 }