Fixed SensitiveParameter attribute on passwords

Author: brenno-duarte

.gitattributes

@@ -0,0 +1,3 @@
+/tests export-ignore
+CHANGELOG.md export-ignore
+phpunit.xml export-ignore

.gitignore

@@ -1,5 +1,6 @@
 vendor/
 composer.lock
 index.php
+test.php
 .phpunit.result.cache
 .phpunit.cache

CHANGELOG.md

@@ -1,5 +1,13 @@
 # Released Notes
 
+## v3.1.2 - (2024-03-11)
+
+### Fixed
+
+- Fixed `SensitiveParameter` attribute on passwords
+
+-----------------------------------------------------------
+
 ## v3.1.1 - (2024-02-18)
 
 ### Fixed

src/PepperTrait.php

@@ -47,7 +47,7 @@ public function getPepper(): string
                 $encryption = new Encryption(new OpenSslEncryption($this->pepper));
                 $this->pepper = $encryption->decrypt($this->pepper);
             }
-    
+
             if ($this->crypt_type == 'sodium') {
                 $encryption = new Encryption(new SodiumEncryption($this->pepper));
                 $this->pepper = $encryption->decrypt($this->pepper);
@@ -82,7 +82,7 @@ private function useSodium(): mixed
      * 
      * @return string
      */
-    private function passwordPeppered(string $password): string
+    private function passwordPeppered(#[\SensitiveParameter] string $password): string
     {
         return hash_hmac("sha256", $password, $this->getPepper());
     }

src/SecurePassword.php

@@ -50,7 +50,7 @@ public function __construct(
      * 
      * @return SecurePassword
      */
-    public function createHash(string $password): SecurePassword
+    public function createHash(#[\SensitiveParameter] string $password): SecurePassword
     {
         $this->password = $password;
         $pwd_peppered = $this->passwordPeppered($this->password);
@@ -90,8 +90,11 @@ public function getHashInfo(): mixed
      * 
      * @return bool
      */
-    public function verifyHash(?string $password = null, ?string $hash = null, int $wait_microseconds = 250000): bool
-    {
+    public function verifyHash(
+        #[\SensitiveParameter] ?string $password = null,
+        #[\SensitiveParameter] ?string $hash = null,
+        int $wait_microseconds = 250000
+    ): bool {
         if (is_null($password)) {
             $password = $this->password;
         }
@@ -121,10 +124,8 @@ public function verifyHash(?string $password = null, ?string $hash = null, int $
      * 
      * @return int
      */
-    public static function getOptimalBcryptCost(
-        string $password,
-        int $min_ms = 250
-    ): int {
+    public static function getOptimalBcryptCost(#[\SensitiveParameter] string $password, int $min_ms = 250): int
+    {
         for ($i = 4; $i < 31; $i++) {
             $time_start = microtime(true);
             password_hash($password, PASSWORD_BCRYPT, ['cost' => $i]);
@@ -145,8 +146,10 @@ public static function getOptimalBcryptCost(
      * 
      * @return string|false
      */
-    public function needsRehash(string $password, string $hash): string|false
-    {
+    public function needsRehash(
+        #[\SensitiveParameter] string $password,
+        #[\SensitiveParameter] string $hash
+    ): string|false {
         if (password_needs_rehash($hash, $this->algo)) {
             return $this->createHash($password)->getHash();
         }