8000 Hide username and client ip in logs · symfony/symfony@ea22bba · GitHub
[go: up one dir, main page]
Skip to content

Commit ea22bba

Browse files
SpomkySpomky
committed
Hide username and client ip in logs
1 parent 9a0f178 commit ea22bba

File tree

3 files changed

+19
-4
lines changed

3 files changed

+19
-4
lines changed

src/Symfony/Bundle/SecurityBundle/DependencyInjection/Security/Factory/LoginThrottlingFactory.php

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -76,6 +76,7 @@ public function createAuthenticator(ContainerBuilder $container, string $firewal
7676
$container->register($config['limiter'] = 'security.login_throttling.'.$firewallName.'.limiter', DefaultLoginRateLimiter::class)
7777
->addArgument(new Reference('limiter.'.$globalId))
7878
->addArgument(new Reference('limiter.'.$localId))
79+
->addArgument('%kernel.secret%')
7980
;
8081
}
8182

src/Symfony/Component/Security/Http/RateLimiter/DefaultLoginRateLimiter.php

Lines changed: 17 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -28,11 +28,20 @@ final class DefaultLoginRateLimiter extends AbstractRequestRateLimiter
2828
{
2929
private RateLimiterFactory $globalFactory;
3030
private RateLimiterFactory $localFactory;
31+
private string $secret;
3132

32-
public function __construct(RateLimiterFactory $globalFactory, RateLimiterFactory $localFactory)
33+
/**
34+
* @param non-empty-string $secret A secret to use for hashing the IP address and username
35+
*/
36+
public function __construct(RateLimiterFactory $globalFactory, RateLimiterFactory $localFactory, #[\SensitiveParameter] string $secret = '')
3337
{
38+
if (!$secret) {
39+
trigger_deprecation('symfony/security-http', '6.4', 'Calling "%s()" with an empty secret is deprecated. A non-empty secret will be mandatory in version 7.0.', __METHOD__);
40+
// throw new \Symfony\Component\Security\Core\Exception\InvalidArgumentException('A non-empty secret is required.');
41+
}
3442
$this->globalFactory = $globalFactory;
3543
$this->localFactory = $localFactory;
44+
$this->secret = $secret;
3645
}
3746

3847
protected function getLimiters(Request $request): array
@@ -41,8 +50,13 @@ protected function getLimiters(Request $request): array
4150
$username = preg_match('//u', $username) ? mb_strtolower($username, 'UTF-8') : strtolower($username);
4251

4352
return [
44-
$this->globalFactory->create($request->getClientIp()),
45-
$this->localFactory->create($username.'-'.$request->getClientIp()),
53+
$this->globalFactory->create($this->hash($request->getClientIp())),
54+
$this->localFactory->create($this->hash($username.'-'.$request->getClientIp())),
4655
];
4756
}
57+
58+
private function hash(string $data): string
59+
{
60+
return strtr(substr(base64_encode(hash_hmac('sha256', $data, $this->secret, true)), 0, 8), '/+', '._');
61+
}
4862
}

src/Symfony/Component/Security/Http/Tests/EventListener/LoginThrottlingListenerTest.php

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -47,7 +47,7 @@ protected function setUp(): void
4747
'limit' => 6,
4848
'interval' => '1 minute',
4949
], new InMemoryStorage());
50-
$limiter = new DefaultLoginRateLimiter($globalLimiter, $localLimiter);
50+
$limiter = new DefaultLoginRateLimiter($globalLimiter, $localLimiter, '$3cre7');
5151

5252
$this->listener = new LoginThrottlingListener($this->requestStack, $limiter);
5353
}

0 commit comments

Comments
 (0)
0