PublicKeyToken::jsonSerialize() already explicitly lists allowed fields,
we are adding a second guard here to be on the safe side.
Signed-off-by: Lucas Azevedo <lhs_azevedo@hotmail.com>
$tokens = $this->tokenProvider->getTokenByUser($user->getUID());
- $data = array_map(fn (IToken $token): mixed => $token->jsonSerialize(), $tokens);
+ $data = array_map(function (IToken $token): mixed {
+ $filtered = [
+ 'password',
+ 'password_hash',
+ 'token',
+ 'public_key',
+ 'private_key',
+ ];
+ return array_diff_key($token->jsonSerialize(), array_flip($filtered));
+ }, $tokens);
$this->writeArrayInOutputFormat($input, $output, $data);