fix: HMAC Token Authenticator raw tokens are logged

kenjis · kenjis · commit b0b10b61103d · 2023-11-23T08:24:16.000+09:00
diff --git a/src/Authentication/Authenticators/HmacSha256.php b/src/Authentication/Authenticators/HmacSha256.php
@@ -78,14 +78,15 @@ public function attempt(array $credentials): Result
             return $result;
         }
 
-        $user = $result->extraInfo();
+        $user  = $result->extraInfo();
+        $token = $user->getHmacToken($this->getHmacKeyFromToken());
 
         if ($user->isBanned()) {
             if ($config->recordLoginAttempt >= Auth::RECORD_LOGIN_ATTEMPT_FAILURE) {
                 // Record a banned login attempt.
                 $this->loginModel->recordLoginAttempt(
                     self::ID_TYPE_HMAC_TOKEN,
-                    $credentials['token'] ?? '',
+                    $token->name ?? '',
                     false,
                     $ipAddress,
                     $userAgent,
@@ -101,17 +102,15 @@ public function attempt(array $credentials): Result
             ]);
         }
 
-        $user = $user->setHmacToken(
-            $user->getHmacToken($this->getHmacKeyFromToken())
-        );
+        $user = $user->setHmacToken($token);
 
         $this->login($user);
 
         if ($config->recordLoginAttempt === Auth::RECORD_LOGIN_ATTEMPT_ALL) {
             // Record a successful login attempt.
             $this->loginModel->recordLoginAttempt(
                 self::ID_TYPE_HMAC_TOKEN,
-                $credentials['token'] ?? '',
+                $token->name ?? '',
                 true,
                 $ipAddress,
                 $userAgent,
diff --git a/tests/Authentication/Authenticators/HmacAuthenticatorTest.php b/tests/Authentication/Authenticators/HmacAuthenticatorTest.php
@@ -273,7 +273,7 @@ public function testAttemptSuccess(): void
         // A login attempt should have been recorded
         $this->seeInDatabase($this->tables['token_logins'], [
             'id_type'    => HmacSha256::ID_TYPE_HMAC_TOKEN,
-            'identifier' => $rawToken,
+            'identifier' => 'foo',
             'success'    => 1,
         ]);
 
@@ -310,7 +310,7 @@ public function testAttemptBanned(): void
         // A login attempt should have been recorded
         $this->seeInDatabase($this->tables['token_logins'], [
             'id_type'    => HmacSha256::ID_TYPE_HMAC_TOKEN,
-            'identifier' => $rawToken,
+            'identifier' => 'foo',
             'success'    => 0,
         ]);
     }
