Fix returning hashed secrets

2024-10-02 10:16:27 +13:00 · 2024-05-22 14:11:06 +12:00 · 2024-05-22 14:11:06 +12:00 · 680cd5194d
commit 680cd5194d
parent f03281a474
1 changed files with 37 additions and 9 deletions
--- a/app/controllers/api/account.php
+++ b/app/controllers/api/account.php
@ -1856,16 +1856,21 @@ App::post('/v1/account/tokens/magic-url')
            ->setRecipient($email)
            ->trigger();

+        // Set to unhashed secret for events and server responses
+        $token->setAttribute('secret', $tokenSecret);
+
        $queueForEvents
            ->setPayload($response->output($token, Response::MODEL_TOKEN), sensitive: ['secret']);

+        // Hide secret for clients
+        if (!$isPrivilegedUser && !$isAppUser) {
+            $token->setAttribute('secret', '');
+        }
+
        if (!empty($phrase)) {
            $token->setAttribute('phrase', $phrase);
        }

-        // Hide secret for clients
-        $token->setAttribute('secret', ($isPrivilegedUser || $isAppUser) ? $tokenSecret : '');
-
        $response
            ->setStatusCode(Response::STATUS_CODE_CREATED)
            ->dynamic($token, Response::MODEL_TOKEN);
@ -2080,16 +2085,21 @@ App::post('/v1/account/tokens/email')
            ->setRecipient($email)
            ->trigger();

+        // Set to unhashed secret for events and server responses
+        $token->setAttribute('secret', $tokenSecret);
+
        $queueForEvents
            ->setPayload($response->output($token, Response::MODEL_TOKEN), sensitive: ['secret']);

+        // Hide secret for clients
+        if (!$isPrivilegedUser && !$isAppUser) {
+            $token->setAttribute('secret', '');
+        }
+
        if (!empty($phrase)) {
            $token->setAttribute('phrase', $phrase);
        }

-        // Hide secret for clients
-        $token->setAttribute('secret', ($isPrivilegedUser || $isAppUser) ? $tokenSecret : '');
-
        $response
            ->setStatusCode(Response::STATUS_CODE_CREATED)
            ->dynamic($token, Response::MODEL_TOKEN);
@ -2309,6 +2319,9 @@ App::post('/v1/account/tokens/phone')
            ->setRecipients([$phone])
            ->setProviderType(MESSAGE_TYPE_SMS);

+        // Set to unhashed secret for events and server responses
+        $token->setAttribute('secret', $secret);
+
        $queueForEvents
            ->setPayload($response->output($token, Response::MODEL_TOKEN), sensitive: ['secret']);

@ -2965,6 +2978,9 @@ App::post('/v1/account/recovery')
            ->setSubject($subject)
            ->trigger();

+        // Set to unhashed secret for events and server responses
+        $recovery->setAttribute('secret', $secret);
+
        $queueForEvents
            ->setParam('userId', $profile->getId())
            ->setParam('tokenId', $recovery->getId())
@ -2972,7 +2988,9 @@ App::post('/v1/account/recovery')
            ->setPayload($response->output($recovery, Response::MODEL_TOKEN), sensitive: ['secret']);

        // Hide secret for clients
-        $recovery->setAttribute('secret', ($isPrivilegedUser || $isAppUser) ? $secret : '');
+        if (!$isPrivilegedUser && !$isAppUser) {
+            $recovery->setAttribute('secret', '');
+        }

        $response
            ->setStatusCode(Response::STATUS_CODE_CREATED)
@ -3210,13 +3228,18 @@ App::post('/v1/account/verification')
            ->setName($user->getAttribute('name') ?? '')
            ->trigger();

+        // Set to unhashed secret for events and server responses
+        $verification->setAttribute('secret', $verificationSecret);
+
        $queueForEvents
            ->setParam('userId', $user->getId())
            ->setParam('tokenId', $verification->getId())
            ->setPayload($response->output($verification, Response::MODEL_TOKEN), sensitive: ['secret']);

        // Hide secret for clients
-        $verification->setAttribute('secret', ($isPrivilegedUser || $isAppUser) ? $verificationSecret : '');
+        if (!$isPrivilegedUser && !$isAppUser) {
+            $verification->setAttribute('secret', '');
+        }

        $response
            ->setStatusCode(Response::STATUS_CODE_CREATED)
@ -3377,13 +3400,18 @@ App::post('/v1/account/verification/phone')
            ->setRecipients([$user->getAttribute('phone')])
            ->setProviderType(MESSAGE_TYPE_SMS);

+        // Set to unhashed secret for events and server responses
+        $verification->setAttribute('secret', $secret);
+
        $queueForEvents
            ->setParam('userId', $user->getId())
            ->setParam('tokenId', $verification->getId())
            ->setPayload($response->output($verification, Response::MODEL_TOKEN), sensitive: ['secret']);

        // Hide secret for clients
-        $verification->setAttribute('secret', ($isPrivilegedUser || $isAppUser) ? $secret : '');
+        if (!$isPrivilegedUser && !$isAppUser) {
+            $verification->setAttribute('secret', '');
+        }

        $response
            ->setStatusCode(Response::STATUS_CODE_CREATED)