fix: JWT Authenticator raw tokens are logged

kenjis · kenjis · commit 3e48895f91f9 · 2023-11-23T08:24:16.000+09:00
diff --git a/src/Authentication/Authenticators/JWT.php b/src/Authentication/Authenticators/JWT.php
@@ -103,7 +103,7 @@ public function attempt(array $credentials): Result
                 // Record a banned login attempt.
                 $this->tokenLoginModel->recordLoginAttempt(
                     self::ID_TYPE_JWT,
-                    $credentials['token'] ?? '',
+                    'sha256:' . hash('sha256', $credentials['token'] ?? ''),
                     false,
                     $ipAddress,
                     $userAgent,
@@ -125,7 +125,7 @@ public function attempt(array $credentials): Result
             // Record a successful login attempt.
             $this->tokenLoginModel->recordLoginAttempt(
                 self::ID_TYPE_JWT,
-                $credentials['token'] ?? '',
+                'sha256:' . hash('sha256', $credentials['token']),
                 true,
                 $ipAddress,
                 $userAgent,
diff --git a/tests/Authentication/Authenticators/JWTAuthenticatorTest.php b/tests/Authentication/Authenticators/JWTAuthenticatorTest.php
@@ -226,7 +226,7 @@ public function testAttemptBannedUser(): void
         // The login attempt should have been recorded
         $this->seeInDatabase('auth_token_logins', [
             'id_type'    => JWT::ID_TYPE_JWT,
-            'identifier' => $token,
+            'identifier' => 'sha256:' . hash('sha256', $token),
             'success'    => 0,
             'user_id'    => $this->user->id,
         ]);
@@ -256,7 +256,7 @@ public function testAttemptSuccess(): void
         // A login attempt should have been recorded
         $this->seeInDatabase('auth_token_logins', [
             'id_type'    => JWT::ID_TYPE_JWT,
-            'identifier' => $token,
+            'identifier' => 'sha256:' . hash('sha256', $token),
             'success'    => 1,
         ]);
     }
