fix: Access Token Authenticator raw tokens are logged

kenjis · kenjis · commit 0405d31637f2 · 2023-11-23T08:24:15.000+09:00
diff --git a/src/Authentication/Authenticators/AccessTokens.php b/src/Authentication/Authenticators/AccessTokens.php
@@ -77,14 +77,15 @@ public function attempt(array $credentials): Result
             return $result;
         }
 
-        $user = $result->extraInfo();
+        $user  = $result->extraInfo();
+        $token = $user->getAccessToken($this->getBearerToken());
 
         if ($user->isBanned()) {
             if ($config->recordLoginAttempt >= Auth::RECORD_LOGIN_ATTEMPT_FAILURE) {
                 // Record a banned login attempt.
                 $this->loginModel->recordLoginAttempt(
                     self::ID_TYPE_ACCESS_TOKEN,
-                    $credentials['token'] ?? '',
+                    $token->name ?? '',
                     false,
                     $ipAddress,
                     $userAgent,
@@ -100,17 +101,15 @@ public function attempt(array $credentials): Result
             ]);
         }
 
-        $user = $user->setAccessToken(
-            $user->getAccessToken($this->getBearerToken())
-        );
+        $user = $user->setAccessToken($token);
 
         $this->login($user);
 
         if ($config->recordLoginAttempt === Auth::RECORD_LOGIN_ATTEMPT_ALL) {
             // Record a successful login attempt.
             $this->loginModel->recordLoginAttempt(
                 self::ID_TYPE_ACCESS_TOKEN,
-                $credentials['token'] ?? '',
+                $token->name ?? '',
                 true,
                 $ipAddress,
                 $userAgent,
diff --git a/tests/Authentication/Authenticators/AccessTokenAuthenticatorTest.php b/tests/Authentication/Authenticators/AccessTokenAuthenticatorTest.php
@@ -17,6 +17,7 @@
 use CodeIgniter\Shield\Authentication\Authentication;
 use CodeIgniter\Shield\Authentication\Authenticators\AccessTokens;
 use CodeIgniter\Shield\Config\Auth;
+use CodeIgniter\Shield\Config\AuthToken;
 use CodeIgniter\Shield\Entities\AccessToken;
 use CodeIgniter\Shield\Entities\User;
 use CodeIgniter\Shield\Models\UserIdentityModel;
@@ -222,6 +223,38 @@ public function testAttemptSuccess(): void
         ]);
     }
 
+    public function testAttemptSuccessLog(): void
+    {
+        // Change $recordLoginAttempt in Config.
+        /** @var AuthToken $config */
+        $config                     = config('AuthToken');
+        $config->recordLoginAttempt = Auth::RECORD_LOGIN_ATTEMPT_ALL;
+
+        /** @var User $user */
+        $user  = fake(UserModel::class);
+        $token = $user->generateAccessToken('foo');
+        $this->setRequestHeader($token->raw_token);
+
+        $result = $this->auth->attempt([
+            'token' => $token->raw_token,
+        ]);
+
+        $this->assertInstanceOf(Result::class, $result);
+        $this->assertTrue($result->isOK());
+
+        $foundUser = $result->extraInfo();
+        $this->assertInstanceOf(User::class, $foundUser);
+        $this->assertSame($user->id, $foundUser->id);
+        $this->assertInstanceOf(AccessToken::class, $foundUser->currentAccessToken());
+        $this->assertSame($token->token, $foundUser->currentAccessToken()->token);
+
+        $this->seeInDatabase($this->tables['token_logins'], [
+            'id_type'    => AccessTokens::ID_TYPE_ACCESS_TOKEN,
+            'identifier' => 'foo',
+            'success'    => 1,
+        ]);
+    }
+
     protected function setRequestHeader(string $token): void
     {
         $request = service('request');
