Add SensitiveParameter attribute to a lot more sensitive params in Auth

src/Illuminate/Auth/DatabaseUserProvider.php

@@ -8,6 +8,7 @@
 use Illuminate\Contracts\Hashing\Hasher as HasherContract;
 use Illuminate\Contracts\Support\Arrayable;
 use Illuminate\Database\ConnectionInterface;
+use SensitiveParameter;
 
 class DatabaseUserProvider implements UserProvider
 {
@@ -67,7 +68,7 @@ public function retrieveById($identifier)
      * @param  string  $token
      * @return \Illuminate\Contracts\Auth\Authenticatable|null
      */
-    public function retrieveByToken($identifier, $token)
+    public function retrieveByToken($identifier, #[SensitiveParameter] $token)
     {
         $user = $this->getGenericUser(
             $this->connection->table($this->table)->find($identifier)
@@ -84,7 +85,7 @@ public function retrieveByToken($identifier, $token)
      * @param  string  $token
      * @return void
      */
-    public function updateRememberToken(UserContract $user, $token)
+    public function updateRememberToken(UserContract $user, #[SensitiveParameter] $token)
     {
         $this->connection->table($this->table)
                 ->where($user->getAuthIdentifierName(), $user->getAuthIdentifier())
@@ -97,7 +98,7 @@ public function updateRememberToken(UserContract $user, $token)
      * @param  array  $credentials
      * @return \Illuminate\Contracts\Auth\Authenticatable|null
      */
-    public function retrieveByCredentials(array $credentials)
+    public function retrieveByCredentials(#[SensitiveParameter] array $credentials)
     {
         $credentials = array_filter(
             $credentials,
@@ -152,7 +153,7 @@ protected function getGenericUser($user)
      * @param  array  $credentials
      * @return bool
      */
-    public function validateCredentials(UserContract $user, array $credentials)
+    public function validateCredentials(UserContract $user, #[SensitiveParameter] array $credentials)
     {
         return $this->hasher->check(
             $credentials['password'], $user->getAuthPassword()
@@ -167,7 +168,7 @@ public function validateCredentials(UserContract $user, array $credentials)
      * @param  bool  $force
      * @return void
      */
-    public function rehashPasswordIfRequired(UserContract $user, array $credentials, bool $force = false)
+    public function rehashPasswordIfRequired(UserContract $user, #[SensitiveParameter] array $credentials, bool $force = false)
     {
         if (! $this->hasher->needsRehash($user->getAuthPassword()) && ! $force) {
             return;

src/Illuminate/Auth/EloquentUserProvider.php

@@ -7,6 +7,7 @@
 use Illuminate\Contracts\Auth\UserProvider;
 use Illuminate\Contracts\Hashing\Hasher as HasherContract;
 use Illuminate\Contracts\Support\Arrayable;
+use SensitiveParameter;
 
 class EloquentUserProvider implements UserProvider
 {
@@ -66,7 +67,7 @@ public function retrieveById($identifier)
      * @param  string  $token
      * @return \Illuminate\Contracts\Auth\Authenticatable|null
      */
-    public function retrieveByToken($identifier, $token)
+    public function retrieveByToken($identifier, #[SensitiveParameter] $token)
     {
         $model = $this->createModel();
 
@@ -90,7 +91,7 @@ public function retrieveByToken($identifier, $token)
      * @param  string  $token
      * @return void
      */
-    public function updateRememberToken(UserContract $user, $token)
+    public function updateRememberToken(UserContract $user, #[SensitiveParameter] $token)
     {
         $user->setRememberToken($token);
 
@@ -109,7 +110,7 @@ public function updateRememberToken(UserContract $user, $token)
      * @param  array  $credentials
      * @return \Illuminate\Contracts\Auth\Authenticatable|null
      */
-    public function retrieveByCredentials(array $credentials)
+    public function retrieveByCredentials(#[SensitiveParameter] array $credentials)
     {
         $credentials = array_filter(
             $credentials,
@@ -146,7 +147,7 @@ public function retrieveByCredentials(array $credentials)
      * @param  array  $credentials
      * @return bool
      */
-    public function validateCredentials(UserContract $user, array $credentials)
+    public function validateCredentials(UserContract $user, #[SensitiveParameter] array $credentials)
     {
         if (is_null($plain = $credentials['password'])) {
             return false;
@@ -163,7 +164,7 @@ public function validateCredentials(UserContract $user, array $credentials)
      * @param  bool  $force
      * @return void
      */
-    public function rehashPasswordIfRequired(UserContract $user, array $credentials, bool $force = false)
+    public function rehashPasswordIfRequired(UserContract $user, #[SensitiveParameter] array $credentials, bool $force = false)
     {
         if (! $this->hasher->needsRehash($user->getAuthPassword()) && ! $force) {
             return;

src/Illuminate/Auth/Events/Attempting.php

@@ -2,6 +2,8 @@
 
 namespace Illuminate\Auth\Events;
 
+use SensitiveParameter;
+
 class Attempting
 {
     /**
@@ -33,7 +35,7 @@ class Attempting
      * @param  bool  $remember
      * @return void
      */
-    public function __construct($guard, $credentials, $remember)
+    public function __construct($guard, #[SensitiveParameter] $credentials, $remember)
     {
         $this->guard = $guard;
         $this->remember = $remember;

src/Illuminate/Auth/Events/Failed.php

@@ -2,6 +2,8 @@
 
 namespace Illuminate\Auth\Events;
 
+use SensitiveParameter;
+
 class Failed
 {
     /**
@@ -33,7 +35,7 @@ class Failed
      * @param  array  $credentials
      * @return void
      */
-    public function __construct($guard, $user, $credentials)
+    public function __construct($guard, $user, #[SensitiveParameter] $credentials)
     {
         $this->user = $user;
         $this->guard = $guard;

src/Illuminate/Auth/Notifications/ResetPassword.php

@@ -5,6 +5,7 @@
 use Illuminate\Notifications\Messages\MailMessage;
 use Illuminate\Notifications\Notification;
 use Illuminate\Support\Facades\Lang;
+use SensitiveParameter;
 
 class ResetPassword extends Notification
 {
@@ -35,7 +36,7 @@ class ResetPassword extends Notification
      * @param  string  $token
      * @return void
      */
-    public function __construct($token)
+    public function __construct(#[SensitiveParameter] $token)
     {
         $this->token = $token;
     }

src/Illuminate/Auth/Passwords/CanResetPassword.php

@@ -3,6 +3,7 @@
 namespace Illuminate\Auth\Passwords;
 
 use Illuminate\Auth\Notifications\ResetPassword as ResetPasswordNotification;
+use SensitiveParameter;
 
 trait CanResetPassword
 {
@@ -22,7 +23,7 @@ public function getEmailForPasswordReset()
      * @param  string  $token
      * @return void
      */
-    public function sendPasswordResetNotification($token)
+    public function sendPasswordResetNotification(#[SensitiveParameter] $token)
     {
         $this->notify(new ResetPasswordNotification($token));
     }

src/Illuminate/Auth/Passwords/DatabaseTokenRepository.php

@@ -7,6 +7,7 @@
 use Illuminate\Database\ConnectionInterface;
 use Illuminate\Support\Carbon;
 use Illuminate\Support\Str;
+use SensitiveParameter;
 
 class DatabaseTokenRepository implements TokenRepositoryInterface
 {
@@ -115,7 +116,7 @@ protected function deleteExisting(CanResetPasswordContract $user)
      * @param  string  $token
      * @return array
      */
-    protected function getPayload($email, $token)
+    protected function getPayload($email, #[SensitiveParameter] $token)
     {
         return ['email' => $email, 'token' => $this->hasher->make($token), 'created_at' => new Carbon];
     }
@@ -127,7 +128,7 @@ protected function getPayload($email, $token)
      * @param  string  $token
      * @return bool
      */
-    public function exists(CanResetPasswordContract $user, $token)
+    public function exists(CanResetPasswordContract $user, #[SensitiveParameter] $token)
     {
         $record = (array) $this->getTable()->where(
             'email', $user->getEmailForPasswordReset()

src/Illuminate/Auth/Passwords/PasswordBroker.php

@@ -7,6 +7,7 @@
 use Illuminate\Contracts\Auth\PasswordBroker as PasswordBrokerContract;
 use Illuminate\Contracts\Auth\UserProvider;
 use Illuminate\Support\Arr;
+use SensitiveParameter;
 use UnexpectedValueException;
 
 class PasswordBroker implements PasswordBrokerContract
@@ -32,7 +33,7 @@ class PasswordBroker implements PasswordBrokerContract
      * @param  \Illuminate\Contracts\Auth\UserProvider  $users
      * @return void
      */
-    public function __construct(TokenRepositoryInterface $tokens, UserProvider $users)
+    public function __construct(#[SensitiveParameter] TokenRepositoryInterface $tokens, UserProvider $users)
     {
         $this->users = $users;
         $this->tokens = $tokens;
@@ -45,7 +46,7 @@ public function __construct(TokenRepositoryInterface $tokens, UserProvider $user
      * @param  \Closure|null  $callback
      * @return string
      */
-    public function sendResetLink(array $credentials, ?Closure $callback = null)
+    public function sendResetLink(#[SensitiveParameter] array $credentials, ?Closure $callback = null)
     {
         // First we will check to see if we found a user at the given credentials and
         // if we did not we will redirect back to this current URI with a piece of
@@ -81,7 +82,7 @@ public function sendResetLink(array $credentials, ?Closure $callback = null)
      * @param  \Closure  $callback
      * @return mixed
      */
-    public function reset(array $credentials, Closure $callback)
+    public function reset(#[SensitiveParameter] array $credentials, Closure $callback)
     {
         $user = $this->validateReset($credentials);
 
@@ -110,7 +111,7 @@ public function reset(array $credentials, Closure $callback)
      * @param  array  $credentials
      * @return \Illuminate\Contracts\Auth\CanResetPassword|string
      */
-    protected function validateReset(array $credentials)
+    protected function validateReset(#[SensitiveParameter] array $credentials)
     {
         if (is_null($user = $this->getUser($credentials))) {
             return static::INVALID_USER;
@@ -131,7 +132,7 @@ protected function validateReset(array $credentials)
      *
      * @throws \UnexpectedValueException
      */
-    public function getUser(array $credentials)
+    public function getUser(#[SensitiveParameter] array $credentials)
     {
         $credentials = Arr::except($credentials, ['token']);
 
@@ -173,7 +174,7 @@ public function deleteToken(CanResetPasswordContract $user)
      * @param  string  $token
      * @return bool
      */
-    public function tokenExists(CanResetPasswordContract $user, $token)
+    public function tokenExists(CanResetPasswordContract $user, #[SensitiveParameter] $token)
     {
         return $this->tokens->exists($user, $token);
     }

src/Illuminate/Auth/Passwords/TokenRepositoryInterface.php

@@ -3,6 +3,7 @@
 namespace Illuminate\Auth\Passwords;
 
 use Illuminate\Contracts\Auth\CanResetPassword as CanResetPasswordContract;
+use SensitiveParameter;
 
 interface TokenRepositoryInterface
 {
@@ -21,7 +22,7 @@ public function create(CanResetPasswordContract $user);
      * @param  string  $token
      * @return bool
      */
-    public function exists(CanResetPasswordContract $user, $token);
+    public function exists(CanResetPasswordContract $user, #[SensitiveParameter] $token);
 
     /**
      * Determine if the given user recently created a password reset token.

src/Illuminate/Auth/RequestGuard.php

@@ -6,6 +6,7 @@
 use Illuminate\Contracts\Auth\UserProvider;
 use Illuminate\Http\Request;
 use Illuminate\Support\Traits\Macroable;
+use SensitiveParameter;
 
 class RequestGuard implements Guard
 {
@@ -65,7 +66,7 @@ public function user()
      * @param  array  $credentials
      * @return bool
      */
-    public function validate(array $credentials = [])
+    public function validate(#[SensitiveParameter] array $credentials = [])
     {
         return ! is_null((new static(
             $this->callback, $credentials['request'], $this->getProvider()

src/Illuminate/Auth/SessionGuard.php

@@ -24,6 +24,7 @@
 use Illuminate\Support\Traits\Macroable;
 use InvalidArgumentException;
 use RuntimeException;
+use SensitiveParameter;
 use Symfony\Component\HttpFoundation\Request;
 use Symfony\Component\HttpKernel\Exception\UnauthorizedHttpException;
 
@@ -488,7 +489,7 @@ protected function shouldLogin($callbacks, AuthenticatableContract $user)
      * @param  array  $credentials
      * @return void
      */
-    protected function rehashPasswordIfRequired(AuthenticatableContract $user, array $credentials)
+    protected function rehashPasswordIfRequired(AuthenticatableContract $user, #[SensitiveParameter] array $credentials)
     {
         if ($this->rehashOnLogin) {
             $this->provider->rehashPasswordIfRequired($user, $credentials);

src/Illuminate/Contracts/Auth/UserProvider.php

@@ -2,6 +2,8 @@
 
 namespace Illuminate\Contracts\Auth;
 
+use SensitiveParameter;
+
 interface UserProvider
 {
     /**
@@ -19,7 +21,7 @@ public function retrieveById($identifier);
      * @param  string  $token
      * @return \Illuminate\Contracts\Auth\Authenticatable|null
      */
-    public function retrieveByToken($identifier, $token);
+    public function retrieveByToken($identifier, #[SensitiveParameter] $token);
 
     /**
      * Update the "remember me" token for the given user in storage.
@@ -28,15 +30,15 @@ public function retrieveByToken($identifier, $token);
      * @param  string  $token
      * @return void
      */
-    public function updateRememberToken(Authenticatable $user, $token);
+    public function updateRememberToken(Authenticatable $user, #[SensitiveParameter] $token);
 
     /**
      * Retrieve a user by the given credentials.
      *
      * @param  array  $credentials
      * @return \Illuminate\Contracts\Auth\Authenticatable|null
      */
-    public function retrieveByCredentials(array $credentials);
+    public function retrieveByCredentials(#[SensitiveParameter] array $credentials);
 
     /**
      * Validate a user against the given credentials.
@@ -45,7 +47,7 @@ public function retrieveByCredentials(array $credentials);
      * @param  array  $credentials
      * @return bool
      */
-    public function validateCredentials(Authenticatable $user, array $credentials);
+    public function validateCredentials(Authenticatable $user, #[SensitiveParameter] array $credentials);
 
     /**
      * Rehash the user's password if required and supported.
@@ -55,5 +57,5 @@ public function validateCredentials(Authenticatable $user, array $credentials);
      * @param  bool  $force
      * @return void
      */
-    public function rehashPasswordIfRequired(Authenticatable $user, array $credentials, bool $force = false);
+    public function rehashPasswordIfRequired(Authenticatable $user, #[SensitiveParameter] array $credentials, bool $force = false);
 }

src/Illuminate/Encryption/Encrypter.php

@@ -218,7 +218,7 @@ public function decryptString($payload)
      * @param  string  $key
      * @return string
      */
-    protected function hash($iv, #[SensitiveParameter] $value, $key)
+    protected function hash(#[SensitiveParameter] $iv, #[SensitiveParameter] $value, #[SensitiveParameter] $key)
     {
         return hash_hmac('sha256', $iv.$value, $key);
     }