Skip to content

Commit be0e24c

Browse files
SpomkySpomky
committed
Hide username and client ip in logs
1 parent 9a0f178 commit be0e24c

File tree

3 files changed

+19
-4
lines changed

3 files changed

+19
-4
lines changed

src/Symfony/Bundle/SecurityBundle/DependencyInjection/Security/Factory/LoginThrottlingFactory.php

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -76,6 +76,7 @@ public function createAuthenticator(ContainerBuilder $container, string $firewal
7676
$container->register($config['limiter'] = 'security.login_throttling.'.$firewallName.'.limiter', DefaultLoginRateLimiter::class)
7777
->addArgument(new Reference('limiter.'.$globalId))
7878
->addArgument(new Reference('limiter.'.$localId))
79+
->addArgument('%kernel.secret%')
7980
;
8081
}
8182

src/Symfony/Component/Security/Http/RateLimiter/DefaultLoginRateLimiter.php

Lines changed: 17 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -28,11 +28,20 @@ final class DefaultLoginRateLimiter extends AbstractRequestRateLimiter
2828
{
2929
private RateLimiterFactory $globalFactory;
3030
private RateLimiterFactory $localFactory;
31+
private string $secret;
3132

32-
public function __construct(RateLimiterFactory $globalFactory, RateLimiterFactory $localFactory)
33+
/**
34+
* @param non-empty-string $secret A secret to use for hashing the IP address and username
35+
*/
36+
public function __construct(RateLimiterFactory $globalFactory, RateLimiterFactory $localFactory, #[\SensitiveParameter] string $secret = '')
3337
{
38+
if (!$secret) {
39+
trigger_deprecation('symfony/security-http', '6.4', 'Calling "%s()" with an empty secret is deprecated. A non-empty secret will be mandatory in version 7.0.', __METHOD__);
40+
// throw new \InvalidArgumentException('A non-empty secret is required.');
41+
}
3442
$this->globalFactory = $globalFactory;
3543
$this->localFactory = $localFactory;
44+
$this->secret = $secret;
3645
}
3746

3847
protected function getLimiters(Request $request): array
@@ -41,8 +50,13 @@ protected function getLimiters(Request $request): array
4150
$username = preg_match('//u', $username) ? mb_strtolower($username, 'UTF-8') : strtolower($username);
4251

4352
return [
44-
$this->globalFactory->create($request->getClientIp()),
45-
$this->localFactory->create($username.'-'.$request->getClientIp()),
53+
$this->globalFactory->create($this->hash($request->getClientIp())),
54+
$this->localFactory->create($this->hash($username.'-'.$request->getClientIp())),
4655
];
4756
}
57+
58+
private function hash(string $data): string
59+
{
60+
return strtr(substr(base64_encode(hash_hmac('sha256', $data, $this->secret, true)), 0, 8), '/+', '._');
61+
}
4862
}

src/Symfony/Component/Security/Http/Tests/EventListener/LoginThrottlingListenerTest.php

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -47,7 +47,7 @@ protected function setUp(): void
4747
'limit' => 6,
4848
'interval' => '1 minute',
4949
], new InMemoryStorage());
50-
$limiter = new DefaultLoginRateLimiter($globalLimiter, $localLimiter);
50+
$limiter = new DefaultLoginRateLimiter($globalLimiter, $localLimiter, '$3cre7');
5151

5252
$this->listener = new LoginThrottlingListener($this->requestStack, $limiter);
5353
}

0 commit comments

Comments
 (0)
pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy