Password hashers - redact passwords

CHANGELOG.md

@@ -7,6 +7,10 @@ and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.
 
 ## [Unreleased](https://github.com/orisai/auth/compare/2.0.0...v2.x)
 
+### Changed
+
+- Password hashers - redact passwords
+
 ## [2.0.0](https://github.com/orisai/auth/compare/1.0.4...2.0.0) - 2023-03-01
 
 ### Added

src/Passwords/Argon2PasswordHasher.php

@@ -4,6 +4,7 @@
 
 use Orisai\Utils\Dependencies\Dependencies;
 use Orisai\Utils\Dependencies\Exception\ExtensionRequired;
+use SensitiveParameter;
 use function assert;
 use function password_hash;
 use function password_needs_rehash;
@@ -42,7 +43,11 @@ public function __construct(?int $timeCost = null, ?int $memoryCost = null, ?int
 		$this->threads = $threads ?? 4;
 	}
 
-	public function hash(string $raw): string
+	// phpcs:ignore SlevomatCodingStandard.Classes.RequireSingleLineMethodSignature
+	public function hash(
+		#[SensitiveParameter]
+		string $raw
+	): string
 	{
 		$hash = password_hash($raw, PASSWORD_ARGON2ID, $this->getOptions());
 		assert($hash !== false); // Since php 7.4 password_hash cannot return false
@@ -60,7 +65,11 @@ public function needsRehash(string $hashed): bool
 		return password_needs_rehash($hashed, PASSWORD_ARGON2ID, $this->getOptions());
 	}
 
-	public function isValid(string $raw, string $hashed): bool
+	public function isValid(
+		#[SensitiveParameter]
+		string $raw,
+		string $hashed
+	): bool
 	{
 		if (!$this->isArgonHashed($hashed)) {
 			return false;

src/Passwords/BcryptPasswordHasher.php

@@ -2,6 +2,7 @@
 
 namespace Orisai\Auth\Passwords;
 
+use SensitiveParameter;
 use function assert;
 use function password_hash;
 use function password_needs_rehash;
@@ -23,7 +24,11 @@ public function __construct(int $cost = 13)
 		$this->cost = $cost;
 	}
 
-	public function hash(string $raw): string
+	// phpcs:ignore SlevomatCodingStandard.Classes.RequireSingleLineMethodSignature
+	public function hash(
+		#[SensitiveParameter]
+		string $raw
+	): string
 	{
 		$hash = password_hash($raw, PASSWORD_BCRYPT, $this->getOptions());
 		assert($hash !== false); // Since php 7.4 password_hash cannot return false
@@ -41,7 +46,11 @@ public function needsRehash(string $hashed): bool
 		return password_needs_rehash($hashed, PASSWORD_BCRYPT, $this->getOptions());
 	}
 
-	public function isValid(string $raw, string $hashed): bool
+	public function isValid(
+		#[SensitiveParameter]
+		string $raw,
+		string $hashed
+	): bool
 	{
 		if (!$this->isBcryptHashed($hashed)) {
 			return false;

src/Passwords/PasswordHasher.php

@@ -2,13 +2,23 @@
 
 namespace Orisai\Auth\Passwords;
 
+use SensitiveParameter;
+
 interface PasswordHasher
 {
 
-	public function hash(string $raw): string;
+	 // phpcs:ignore SlevomatCodingStandard.Classes.RequireSingleLineMethodSignature
+	public function hash(
+		#[SensitiveParameter]
+		string $raw
+	): string;
 
 	public function needsRehash(string $hashed): bool;
 
-	public function isValid(string $raw, string $hashed): bool;
+	public function isValid(
+		#[SensitiveParameter]
+		string $raw,
+		string $hashed
+	): bool;
 
 }

src/Passwords/UpgradingPasswordHasher.php

@@ -2,6 +2,7 @@
 
 namespace Orisai\Auth\Passwords;
 
+use SensitiveParameter;
 use function password_verify;
 
 final class UpgradingPasswordHasher implements PasswordHasher
@@ -21,7 +22,11 @@ public function __construct(PasswordHasher $preferredHasher, array $outdatedHash
 		$this->outdatedHashers = $outdatedHashers;
 	}
 
-	public function hash(string $raw): string
+	// phpcs:ignore SlevomatCodingStandard.Classes.RequireSingleLineMethodSignature
+	public function hash(
+		#[SensitiveParameter]
+		string $raw
+	): string
 	{
 		return $this->preferredHasher->hash($raw);
 	}
@@ -31,7 +36,11 @@ public function needsRehash(string $hashed): bool
 		return $this->preferredHasher->needsRehash($hashed);
 	}
 
-	public function isValid(string $raw, string $hashed): bool
+	public function isValid(
+		#[SensitiveParameter]
+		string $raw,
+		string $hashed
+	): bool
 	{
 		if ($this->preferredHasher->isValid($raw, $hashed)) {
 			return true;