[11.x] Mark sensitive params with SensitiveParameter attribute

src/Illuminate/Auth/DatabaseUserProvider.php

@@ -67,7 +67,7 @@ public function retrieveById($identifier)
      * @param  string  $token
      * @return \Illuminate\Contracts\Auth\Authenticatable|null
      */
-    public function retrieveByToken($identifier, $token)
+    public function retrieveByToken($identifier, #[\SensitiveParameter] $token)
     {
         $user = $this->getGenericUser(
             $this->connection->table($this->table)->find($identifier)
@@ -84,7 +84,7 @@ public function retrieveByToken($identifier, $token)
      * @param  string  $token
      * @return void
      */
-    public function updateRememberToken(UserContract $user, $token)
+    public function updateRememberToken(UserContract $user, #[\SensitiveParameter] $token)
     {
         $this->connection->table($this->table)
                 ->where($user->getAuthIdentifierName(), $user->getAuthIdentifier())
@@ -97,7 +97,7 @@ public function updateRememberToken(UserContract $user, $token)
      * @param  array  $credentials
      * @return \Illuminate\Contracts\Auth\Authenticatable|null
      */
-    public function retrieveByCredentials(array $credentials)
+    public function retrieveByCredentials(#[\SensitiveParameter] array $credentials)
     {
         $credentials = array_filter(
             $credentials,
@@ -152,7 +152,7 @@ protected function getGenericUser($user)
      * @param  array  $credentials
      * @return bool
      */
-    public function validateCredentials(UserContract $user, array $credentials)
+    public function validateCredentials(UserContract $user, #[\SensitiveParameter] array $credentials)
     {
         return $this->hasher->check(
             $credentials['password'], $user->getAuthPassword()
@@ -167,7 +167,7 @@ public function validateCredentials(UserContract $user, array $credentials)
      * @param  bool  $force
      * @return void
      */
-    public function rehashPasswordIfRequired(UserContract $user, array $credentials, bool $force = false)
+    public function rehashPasswordIfRequired(UserContract $user, #[\SensitiveParameter] array $credentials, bool $force = false)
     {
         if (! $this->hasher->needsRehash($user->getAuthPassword()) && ! $force) {
             return;

src/Illuminate/Auth/EloquentUserProvider.php

@@ -66,7 +66,7 @@ public function retrieveById($identifier)
      * @param  string  $token
      * @return \Illuminate\Contracts\Auth\Authenticatable|null
      */
-    public function retrieveByToken($identifier, $token)
+    public function retrieveByToken($identifier, #[\SensitiveParameter] $token)
     {
         $model = $this->createModel();
 
@@ -90,7 +90,7 @@ public function retrieveByToken($identifier, $token)
      * @param  string  $token
      * @return void
      */
-    public function updateRememberToken(UserContract $user, $token)
+    public function updateRememberToken(UserContract $user, #[\SensitiveParameter] $token)
     {
         $user->setRememberToken($token);
 
@@ -109,7 +109,7 @@ public function updateRememberToken(UserContract $user, $token)
      * @param  array  $credentials
      * @return \Illuminate\Contracts\Auth\Authenticatable|null
      */
-    public function retrieveByCredentials(array $credentials)
+    public function retrieveByCredentials(#[\SensitiveParameter] array $credentials)
     {
         $credentials = array_filter(
             $credentials,
@@ -146,7 +146,7 @@ public function retrieveByCredentials(array $credentials)
      * @param  array  $credentials
      * @return bool
      */
-    public function validateCredentials(UserContract $user, array $credentials)
+    public function validateCredentials(UserContract $user, #[\SensitiveParameter] array $credentials)
     {
         if (is_null($plain = $credentials['password'])) {
             return false;
@@ -163,7 +163,7 @@ public function validateCredentials(UserContract $user, array $credentials)
      * @param  bool  $force
      * @return void
      */
-    public function rehashPasswordIfRequired(UserContract $user, array $credentials, bool $force = false)
+    public function rehashPasswordIfRequired(UserContract $user, #[\SensitiveParameter] array $credentials, bool $force = false)
     {
         if (! $this->hasher->needsRehash($user->getAuthPassword()) && ! $force) {
             return;

src/Illuminate/Auth/Events/Attempting.php

@@ -33,7 +33,7 @@ class Attempting
      * @param  bool  $remember
      * @return void
      */
-    public function __construct($guard, $credentials, $remember)
+    public function __construct($guard, #[\SensitiveParameter] $credentials, $remember)
     {
         $this->guard = $guard;
         $this->remember = $remember;

src/Illuminate/Auth/Events/Failed.php

@@ -33,7 +33,7 @@ class Failed
      * @param  array  $credentials
      * @return void
      */
-    public function __construct($guard, $user, $credentials)
+    public function __construct($guard, $user, #[\SensitiveParameter] $credentials)
     {
         $this->user = $user;
         $this->guard = $guard;

src/Illuminate/Auth/Notifications/ResetPassword.php

@@ -35,7 +35,7 @@ class ResetPassword extends Notification
      * @param  string  $token
      * @return void
      */
-    public function __construct($token)
+    public function __construct(#[\SensitiveParameter] $token)
     {
         $this->token = $token;
     }

src/Illuminate/Auth/Passwords/CanResetPassword.php

@@ -22,7 +22,7 @@ public function getEmailForPasswordReset()
      * @param  string  $token
      * @return void
      */
-    public function sendPasswordResetNotification($token)
+    public function sendPasswordResetNotification(#[\SensitiveParameter] $token)
     {
         $this->notify(new ResetPasswordNotification($token));
     }

src/Illuminate/Auth/Passwords/DatabaseTokenRepository.php

@@ -115,7 +115,7 @@ protected function deleteExisting(CanResetPasswordContract $user)
      * @param  string  $token
      * @return array
      */
-    protected function getPayload($email, $token)
+    protected function getPayload($email, #[\SensitiveParameter] $token)
     {
         return ['email' => $email, 'token' => $this->hasher->make($token), 'created_at' => new Carbon];
     }
@@ -127,7 +127,7 @@ protected function getPayload($email, $token)
      * @param  string  $token
      * @return bool
      */
-    public function exists(CanResetPasswordContract $user, $token)
+    public function exists(CanResetPasswordContract $user, #[\SensitiveParameter] $token)
     {
         $record = (array) $this->getTable()->where(
             'email', $user->getEmailForPasswordReset()

src/Illuminate/Auth/Passwords/PasswordBroker.php

@@ -42,7 +42,7 @@ class PasswordBroker implements PasswordBrokerContract
      * @param  \Illuminate\Contracts\Events\Dispatcher  $users
      * @return void
      */
-    public function __construct(TokenRepositoryInterface $tokens, UserProvider $users, ?Dispatcher $dispatcher = null)
+    public function __construct(#[\SensitiveParameter] TokenRepositoryInterface $tokens, UserProvider $users, ?Dispatcher $dispatcher = null)
     {
         $this->users = $users;
         $this->tokens = $tokens;
@@ -56,7 +56,7 @@ public function __construct(TokenRepositoryInterface $tokens, UserProvider $user
      * @param  \Closure|null  $callback
      * @return string
      */
-    public function sendResetLink(array $credentials, ?Closure $callback = null)
+    public function sendResetLink(#[\SensitiveParameter] array $credentials, ?Closure $callback = null)
     {
         // First we will check to see if we found a user at the given credentials and
         // if we did not we will redirect back to this current URI with a piece of
@@ -96,7 +96,7 @@ public function sendResetLink(array $credentials, ?Closure $callback = null)
      * @param  \Closure  $callback
      * @return mixed
      */
-    public function reset(array $credentials, Closure $callback)
+    public function reset(#[\SensitiveParameter] array $credentials, Closure $callback)
     {
         $user = $this->validateReset($credentials);
 
@@ -125,7 +125,7 @@ public function reset(array $credentials, Closure $callback)
      * @param  array  $credentials
      * @return \Illuminate\Contracts\Auth\CanResetPassword|string
      */
-    protected function validateReset(array $credentials)
+    protected function validateReset(#[\SensitiveParameter] array $credentials)
     {
         if (is_null($user = $this->getUser($credentials))) {
             return static::INVALID_USER;
@@ -146,7 +146,7 @@ protected function validateReset(array $credentials)
      *
      * @throws \UnexpectedValueException
      */
-    public function getUser(array $credentials)
+    public function getUser(#[\SensitiveParameter] array $credentials)
     {
         $credentials = Arr::except($credentials, ['token']);
 
@@ -188,7 +188,7 @@ public function deleteToken(CanResetPasswordContract $user)
      * @param  string  $token
      * @return bool
      */
-    public function tokenExists(CanResetPasswordContract $user, $token)
+    public function tokenExists(CanResetPasswordContract $user, #[\SensitiveParameter] $token)
     {
         return $this->tokens->exists($user, $token);
     }

src/Illuminate/Auth/Passwords/TokenRepositoryInterface.php

@@ -21,7 +21,7 @@ public function create(CanResetPasswordContract $user);
      * @param  string  $token
      * @return bool
      */
-    public function exists(CanResetPasswordContract $user, $token);
+    public function exists(CanResetPasswordContract $user, #[\SensitiveParameter] $token);
 
     /**
      * Determine if the given user recently created a password reset token.

src/Illuminate/Auth/RequestGuard.php

@@ -65,7 +65,7 @@ public function user()
      * @param  array  $credentials
      * @return bool
      */
-    public function validate(array $credentials = [])
+    public function validate(#[\SensitiveParameter] array $credentials = [])
     {
         return ! is_null((new static(
             $this->callback, $credentials['request'], $this->getProvider()

src/Illuminate/Auth/SessionGuard.php

@@ -488,7 +488,7 @@ protected function shouldLogin($callbacks, AuthenticatableContract $user)
      * @param  array  $credentials
      * @return void
      */
-    protected function rehashPasswordIfRequired(AuthenticatableContract $user, array $credentials)
+    protected function rehashPasswordIfRequired(AuthenticatableContract $user, #[\SensitiveParameter] array $credentials)
     {
         if ($this->rehashOnLogin) {
             $this->provider->rehashPasswordIfRequired($user, $credentials);

src/Illuminate/Contracts/Auth/UserProvider.php

@@ -19,7 +19,7 @@ public function retrieveById($identifier);
      * @param  string  $token
      * @return \Illuminate\Contracts\Auth\Authenticatable|null
      */
-    public function retrieveByToken($identifier, $token);
+    public function retrieveByToken($identifier, #[\SensitiveParameter] $token);
 
     /**
      * Update the "remember me" token for the given user in storage.
@@ -28,15 +28,15 @@ public function retrieveByToken($identifier, $token);
      * @param  string  $token
      * @return void
      */
-    public function updateRememberToken(Authenticatable $user, $token);
+    public function updateRememberToken(Authenticatable $user, #[\SensitiveParameter] $token);
 
     /**
      * Retrieve a user by the given credentials.
      *
      * @param  array  $credentials
      * @return \Illuminate\Contracts\Auth\Authenticatable|null
      */
-    public function retrieveByCredentials(array $credentials);
+    public function retrieveByCredentials(#[\SensitiveParameter] array $credentials);
 
     /**
      * Validate a user against the given credentials.
@@ -45,7 +45,7 @@ public function retrieveByCredentials(array $credentials);
      * @param  array  $credentials
      * @return bool
      */
-    public function validateCredentials(Authenticatable $user, array $credentials);
+    public function validateCredentials(Authenticatable $user, #[\SensitiveParameter] array $credentials);
 
     /**
      * Rehash the user's password if required and supported.
@@ -55,5 +55,5 @@ public function validateCredentials(Authenticatable $user, array $credentials);
      * @param  bool  $force
      * @return void
      */
-    public function rehashPasswordIfRequired(Authenticatable $user, array $credentials, bool $force = false);
+    public function rehashPasswordIfRequired(Authenticatable $user, #[\SensitiveParameter] array $credentials, bool $force = false);
 }

src/Illuminate/Contracts/Encryption/Encrypter.php

@@ -13,7 +13,7 @@ interface Encrypter
      *
      * @throws \Illuminate\Contracts\Encryption\EncryptException
      */
-    public function encrypt($value, $serialize = true);
+    public function encrypt(#[\SensitiveParameter] $value, $serialize = true);
 
     /**
      * Decrypt the given value.

src/Illuminate/Contracts/Encryption/StringEncrypter.php

@@ -12,7 +12,7 @@ interface StringEncrypter
      *
      * @throws \Illuminate\Contracts\Encryption\EncryptException
      */
-    public function encryptString($value);
+    public function encryptString(#[\SensitiveParameter] $value);
 
     /**
      * Decrypt the given string without unserialization.

src/Illuminate/Contracts/Hashing/Hasher.php

@@ -19,7 +19,7 @@ public function info($hashedValue);
      * @param  array  $options
      * @return string
      */
-    public function make($value, array $options = []);
+    public function make(#[\SensitiveParameter] $value, array $options = []);
 
     /**
      * Check the given plain value against a hash.
@@ -29,7 +29,7 @@ public function make($value, array $options = []);
      * @param  array  $options
      * @return bool
      */
-    public function check($value, $hashedValue, array $options = []);
+    public function check(#[\SensitiveParameter] $value, $hashedValue, array $options = []);
 
     /**
      * Check if the given hash has been hashed using the given options.

src/Illuminate/Database/Eloquent/Concerns/HasAttributes.php

@@ -1353,7 +1353,7 @@ public function fromEncryptedString($value)
      * @param  mixed  $value
      * @return string
      */
-    protected function castAttributeAsEncryptedString($key, $value)
+    protected function castAttributeAsEncryptedString($key, #[\SensitiveParameter] $value)
     {
         return static::currentEncrypter()->encrypt($value, false);
     }
@@ -1386,7 +1386,7 @@ protected static function currentEncrypter()
      * @param  mixed  $value
      * @return string
      */
-    protected function castAttributeAsHashedString($key, $value)
+    protected function castAttributeAsHashedString($key, #[\SensitiveParameter] $value)
     {
         if ($value === null) {
             return null;

src/Illuminate/Encryption/Encrypter.php

@@ -102,7 +102,7 @@ public static function generateKey($cipher)
      *
      * @throws \Illuminate\Contracts\Encryption\EncryptException
      */
-    public function encrypt($value, $serialize = true)
+    public function encrypt(#[\SensitiveParameter] $value, $serialize = true)
     {
         $iv = random_bytes(openssl_cipher_iv_length(strtolower($this->cipher)));
 
@@ -139,7 +139,7 @@ public function encrypt($value, $serialize = true)
      *
      * @throws \Illuminate\Contracts\Encryption\EncryptException
      */
-    public function encryptString($value)
+    public function encryptString(#[\SensitiveParameter] $value)
     {
         return $this->encrypt($value, false);
     }
@@ -217,7 +217,7 @@ public function decryptString($payload)
      * @param  string  $key
      * @return string
      */
-    protected function hash($iv, $value, $key)
+    protected function hash(#[\SensitiveParameter] $iv, #[\SensitiveParameter] $value, #[\SensitiveParameter] $key)
     {
         return hash_hmac('sha256', $iv.$value, $key);
     }
@@ -291,7 +291,7 @@ protected function validMac(array $payload)
      * @param  string  $key
      * @return bool
      */
-    protected function validMacForKey($payload, $key)
+    protected function validMacForKey(#[\SensitiveParameter] $payload, $key)
     {
         return hash_equals(
             $this->hash($payload['iv'], $payload['value'], $key), $payload['mac']

src/Illuminate/Hashing/AbstractHasher.php

@@ -23,7 +23,7 @@ public function info($hashedValue)
      * @param  array  $options
      * @return bool
      */
-    public function check($value, $hashedValue, array $options = [])
+    public function check(#[\SensitiveParameter] $value, $hashedValue, array $options = [])
     {
         if (is_null($hashedValue) || strlen($hashedValue) === 0) {
             return false;

src/Illuminate/Hashing/Argon2IdHasher.php

@@ -16,7 +16,7 @@ class Argon2IdHasher extends ArgonHasher
      *
      * @throws \RuntimeException
      */
-    public function check($value, $hashedValue, array $options = [])
+    public function check(#[\SensitiveParameter] $value, $hashedValue, array $options = [])
     {
         if ($this->verifyAlgorithm && ! $this->isUsingCorrectAlgorithm($hashedValue)) {
             throw new RuntimeException('This password does not use the Argon2id algorithm.');

src/Illuminate/Hashing/ArgonHasher.php

@@ -58,7 +58,7 @@ public function __construct(array $options = [])
      *
      * @throws \RuntimeException
      */
-    public function make($value, array $options = [])
+    public function make(#[\SensitiveParameter] $value, array $options = [])
     {
         $hash = @password_hash($value, $this->algorithm(), [
             'memory_cost' => $this->memory($options),
@@ -93,7 +93,7 @@ protected function algorithm()
      *
      * @throws \RuntimeException
      */
-    public function check($value, $hashedValue, array $options = [])
+    public function check(#[\SensitiveParameter] $value, $hashedValue, array $options = [])
     {
         if ($this->verifyAlgorithm && ! $this->isUsingCorrectAlgorithm($hashedValue)) {
             throw new RuntimeException('This password does not use the Argon2i algorithm.');