symfony · fabpot · Nov 22, 2022 · Nov 21, 2022 · fancyweb · Nov 21, 2022
diff --git a/src/Symfony/Bundle/FrameworkBundle/Secrets/SodiumVault.php b/src/Symfony/Bundle/FrameworkBundle/Secrets/SodiumVault.php
@@ -30,7 +30,7 @@ class SodiumVault extends AbstractVault implements EnvVarLoaderInterface
      * @param $decryptionKey A string or a stringable object that defines the private key to use to decrypt the vault
      *                       or null to store generated keys in the provided $secretsDir
      */
-    public function __construct(string $secretsDir, string|\Stringable $decryptionKey = null)
+    public function __construct(string $secretsDir, #[\SensitiveParameter] string|\Stringable $decryptionKey = null)
     {
         $this->pathPrefix = rtrim(strtr($secretsDir, '/', \DIRECTORY_SEPARATOR), \DIRECTORY_SEPARATOR).\DIRECTORY_SEPARATOR.basename($secretsDir).'.';
         $this->decryptionKey = $decryptionKey;

@@ -79,7 +79,7 @@ public function getToken(string $tokenId): CsrfToken
         return new CsrfToken($tokenId, $this->randomize($value));
     }
 
-    public function refreshToken(#[\SensitiveParameter] string $tokenId): CsrfToken
+    public function refreshToken(string $tokenId): CsrfToken
     {
         $namespacedId = $this->getNamespace().$tokenId;
         $value = $this->generator->generateToken();

@@ -51,7 +51,7 @@ public function getToken(string $tokenId): string
         return (string) $_SESSION[$this->namespace][$tokenId];
     }
 
-    public function setToken(string $tokenId, string $token)
+    public function setToken(string $tokenId, #[\SensitiveParameter] string $token)
     {
         if (!$this->sessionStarted) {
             $this->startSession();

@@ -56,7 +56,7 @@ public function getToken(string $tokenId): string
         return (string) $session->get($this->namespace.'/'.$tokenId);
     }
 
-    public function setToken(string $tokenId, string $token)
+    public function setToken(string $tokenId, #[\SensitiveParameter] string $token)
     {
         $session = $this->getSession();
         if (!$session->isStarted()) {

@@ -28,7 +28,7 @@ public function getToken(string $tokenId): string;
     /**
      * Stores a CSRF token.
      */
-    public function setToken(string $tokenId, string $token);
+    public function setToken(string $tokenId, #[\SensitiveParameter] string $token);
 
     /**
      * Removes a CSRF token.

@@ -24,5 +24,5 @@ interface AccessTokenHandlerInterface
     /**
      * @throws AuthenticationException
      */
-    public function getUserIdentifierFrom(string $accessToken): string;
+    public function getUserIdentifierFrom(#[\SensitiveParameter] string $accessToken): string;
 }
@@ -33,7 +33,7 @@ class CsrfTokenBadge implements BadgeInterface
      *                                 Using a different string for each authenticator improves its security.
      * @param string|null $csrfToken   The CSRF token presented in the request, if any
      */
-    public function __construct(string $csrfTokenId, ?string $csrfToken)
+    public function __construct(string $csrfTokenId, #[\SensitiveParameter] ?string $csrfToken)
     {
         $this->csrfTokenId = $csrfTokenId;
         $this->csrfToken = $csrfToken;

@@ -32,7 +32,7 @@ class PasswordUpgradeBadge implements BadgeInterface
      * @param string                         $plaintextPassword The presented password, used in the rehash
      * @param PasswordUpgraderInterface|null $passwordUpgrader  The password upgrader, defaults to the UserProvider if null
      */
-    public function __construct(string $plaintextPassword, PasswordUpgraderInterface $passwordUpgrader = null)
+    public function __construct(#[\SensitiveParameter] string $plaintextPassword, PasswordUpgraderInterface $passwordUpgrader = null)
     {
         $this->plaintextPassword = $plaintextPassword;
         $this->passwordUpgrader = $passwordUpgrader;