From ca101b2dbef60bd9a56d5832fdee29e147e80519 Mon Sep 17 00:00:00 2001
From: Lucas Azevedo <lhs_azevedo@hotmail.com>
Date: Thu, 24 Aug 2023 11:19:50 -0300
Subject: Filter out sensitive fields in user:auth-tokens

PublicKeyToken::jsonSerialize() already explicitly lists allowed fields,
we are adding a second guard here to be on the safe side.

Signed-off-by: Lucas Azevedo <lhs_azevedo@hotmail.com>
---
 core/Command/User/AuthTokens.php | 11 ++++++++++-
 1 file changed, 10 insertions(+), 1 deletion(-)

(limited to 'core/Command')

diff --git a/core/Command/User/AuthTokens.php b/core/Command/User/AuthTokens.php
index 0555cdfeab3..43fa687781e 100644
--- a/core/Command/User/AuthTokens.php
+++ b/core/Command/User/AuthTokens.php
@@ -61,7 +61,16 @@ class AuthTokens extends Base {
 
 		$tokens = $this->tokenProvider->getTokenByUser($user->getUID());
 
-		$data = array_map(fn (IToken $token): mixed => $token->jsonSerialize(), $tokens);
+		$data = array_map(function (IToken $token): mixed {
+			$filtered = [
+				'password',
+				'password_hash',
+				'token',
+				'public_key',
+				'private_key',
+			];
+			return array_diff_key($token->jsonSerialize(), array_flip($filtered));
+		}, $tokens);
 
 		$this->writeArrayInOutputFormat($input, $output, $data);
 
-- 
cgit v1.2.3