Fix returning hashed secrets
This commit is contained in:
parent
f03281a474
commit
680cd5194d
1 changed files with 37 additions and 9 deletions
|
@ -1856,16 +1856,21 @@ App::post('/v1/account/tokens/magic-url')
|
|||
->setRecipient($email)
|
||||
->trigger();
|
||||
|
||||
// Set to unhashed secret for events and server responses
|
||||
$token->setAttribute('secret', $tokenSecret);
|
||||
|
||||
$queueForEvents
|
||||
->setPayload($response->output($token, Response::MODEL_TOKEN), sensitive: ['secret']);
|
||||
|
||||
// Hide secret for clients
|
||||
if (!$isPrivilegedUser && !$isAppUser) {
|
||||
$token->setAttribute('secret', '');
|
||||
}
|
||||
|
||||
if (!empty($phrase)) {
|
||||
$token->setAttribute('phrase', $phrase);
|
||||
}
|
||||
|
||||
// Hide secret for clients
|
||||
$token->setAttribute('secret', ($isPrivilegedUser || $isAppUser) ? $tokenSecret : '');
|
||||
|
||||
$response
|
||||
->setStatusCode(Response::STATUS_CODE_CREATED)
|
||||
->dynamic($token, Response::MODEL_TOKEN);
|
||||
|
@ -2080,16 +2085,21 @@ App::post('/v1/account/tokens/email')
|
|||
->setRecipient($email)
|
||||
->trigger();
|
||||
|
||||
// Set to unhashed secret for events and server responses
|
||||
$token->setAttribute('secret', $tokenSecret);
|
||||
|
||||
$queueForEvents
|
||||
->setPayload($response->output($token, Response::MODEL_TOKEN), sensitive: ['secret']);
|
||||
|
||||
// Hide secret for clients
|
||||
if (!$isPrivilegedUser && !$isAppUser) {
|
||||
$token->setAttribute('secret', '');
|
||||
}
|
||||
|
||||
if (!empty($phrase)) {
|
||||
$token->setAttribute('phrase', $phrase);
|
||||
}
|
||||
|
||||
// Hide secret for clients
|
||||
$token->setAttribute('secret', ($isPrivilegedUser || $isAppUser) ? $tokenSecret : '');
|
||||
|
||||
$response
|
||||
->setStatusCode(Response::STATUS_CODE_CREATED)
|
||||
->dynamic($token, Response::MODEL_TOKEN);
|
||||
|
@ -2309,6 +2319,9 @@ App::post('/v1/account/tokens/phone')
|
|||
->setRecipients([$phone])
|
||||
->setProviderType(MESSAGE_TYPE_SMS);
|
||||
|
||||
// Set to unhashed secret for events and server responses
|
||||
$token->setAttribute('secret', $secret);
|
||||
|
||||
$queueForEvents
|
||||
->setPayload($response->output($token, Response::MODEL_TOKEN), sensitive: ['secret']);
|
||||
|
||||
|
@ -2965,6 +2978,9 @@ App::post('/v1/account/recovery')
|
|||
->setSubject($subject)
|
||||
->trigger();
|
||||
|
||||
// Set to unhashed secret for events and server responses
|
||||
$recovery->setAttribute('secret', $secret);
|
||||
|
||||
$queueForEvents
|
||||
->setParam('userId', $profile->getId())
|
||||
->setParam('tokenId', $recovery->getId())
|
||||
|
@ -2972,7 +2988,9 @@ App::post('/v1/account/recovery')
|
|||
->setPayload($response->output($recovery, Response::MODEL_TOKEN), sensitive: ['secret']);
|
||||
|
||||
// Hide secret for clients
|
||||
$recovery->setAttribute('secret', ($isPrivilegedUser || $isAppUser) ? $secret : '');
|
||||
if (!$isPrivilegedUser && !$isAppUser) {
|
||||
$recovery->setAttribute('secret', '');
|
||||
}
|
||||
|
||||
$response
|
||||
->setStatusCode(Response::STATUS_CODE_CREATED)
|
||||
|
@ -3210,13 +3228,18 @@ App::post('/v1/account/verification')
|
|||
->setName($user->getAttribute('name') ?? '')
|
||||
->trigger();
|
||||
|
||||
// Set to unhashed secret for events and server responses
|
||||
$verification->setAttribute('secret', $verificationSecret);
|
||||
|
||||
$queueForEvents
|
||||
->setParam('userId', $user->getId())
|
||||
->setParam('tokenId', $verification->getId())
|
||||
->setPayload($response->output($verification, Response::MODEL_TOKEN), sensitive: ['secret']);
|
||||
|
||||
// Hide secret for clients
|
||||
$verification->setAttribute('secret', ($isPrivilegedUser || $isAppUser) ? $verificationSecret : '');
|
||||
if (!$isPrivilegedUser && !$isAppUser) {
|
||||
$verification->setAttribute('secret', '');
|
||||
}
|
||||
|
||||
$response
|
||||
->setStatusCode(Response::STATUS_CODE_CREATED)
|
||||
|
@ -3377,13 +3400,18 @@ App::post('/v1/account/verification/phone')
|
|||
->setRecipients([$user->getAttribute('phone')])
|
||||
->setProviderType(MESSAGE_TYPE_SMS);
|
||||
|
||||
// Set to unhashed secret for events and server responses
|
||||
$verification->setAttribute('secret', $secret);
|
||||
|
||||
$queueForEvents
|
||||
->setParam('userId', $user->getId())
|
||||
->setParam('tokenId', $verification->getId())
|
||||
->setPayload($response->output($verification, Response::MODEL_TOKEN), sensitive: ['secret']);
|
||||
|
||||
// Hide secret for clients
|
||||
$verification->setAttribute('secret', ($isPrivilegedUser || $isAppUser) ? $secret : '');
|
||||
if (!$isPrivilegedUser && !$isAppUser) {
|
||||
$verification->setAttribute('secret', '');
|
||||
}
|
||||
|
||||
$response
|
||||
->setStatusCode(Response::STATUS_CODE_CREATED)
|
||||
|
|
Loading…
Reference in a new issue