Filter out sensitive fields in user:auth-tokens

PublicKeyToken::jsonSerialize() already explicitly lists allowed fields,
we are adding a second guard here to be on the safe side.

Signed-off-by: Lucas Azevedo <lhs_azevedo@hotmail.com>

diff --git a/core/Command/User/AuthTokens.php b/core/Command/User/AuthTokens.php
index 0555cdfeab3fb72012de9243d8c551ab33e46924..43fa687781e8f6310de3350aef877bcb59ebf568 100644 (file)
--- a/core/Command/User/AuthTokens.php
+++ b/core/Command/User/AuthTokens.php
@@ -61,7 +61,16 @@ class AuthTokens extends Base {
 
                $tokens = $this->tokenProvider->getTokenByUser($user->getUID());
 
-               $data = array_map(fn (IToken $token): mixed => $token->jsonSerialize(), $tokens);
+               $data = array_map(function (IToken $token): mixed {
+                       $filtered = [
+                               'password',
+                               'password_hash',
+                               'token',
+                               'public_key',
+                               'private_key',
+                       ];
+                       return array_diff_key($token->jsonSerialize(), array_flip($filtered));
+               }, $tokens);
 
                $this->writeArrayInOutputFormat($input, $output, $data);