fix: Use mask in audit logs

website/app/GeoKrety/Email/BasePHPMailer.php

@@ -4,6 +4,7 @@
 
 use GeoKrety\Model\User;
 use GeoKrety\Service\LanguageService;
+use GeoKrety\Service\Mask;
 use GeoKrety\Service\Metrics;
 use GeoKrety\Service\Smarty;
 use PHPMailer\PHPMailer\PHPMailer;
@@ -164,7 +165,7 @@ protected function setFromNotif() {
     public function jsonSerialize(): array {
         $to = [];
         foreach ($this->getToAddresses() as $address) {
-            $to[] = [mask_email($address[0]), $address[1]];
+            $to[] = [Mask::mask_email($address[0]), $address[1]];
         }
 
         return [
@@ -173,22 +174,3 @@ public function jsonSerialize(): array {
         ];
     }
 }
-
-// Function from: https://stackoverflow.com/a/45944844/944936
-function mask($str, $first, $last) {
-    $len = strlen($str);
-    $toShow = $first + $last;
-
-    return substr($str, 0, $len <= $toShow ? 0 : $first).str_repeat('*', $len - ($len <= $toShow ? 0 : $toShow)).substr($str, $len - $last, $len <= $toShow ? 0 : $last);
-}
-// Function from: https://stackoverflow.com/a/45944844/944936
-function mask_email($email) {
-    $mail_parts = explode('@', $email);
-    $domain_parts = explode('.', $mail_parts[1]);
-
-    $mail_parts[0] = mask($mail_parts[0], 2, 1); // show first 2 letters and last 1 letter
-    $domain_parts[0] = mask($domain_parts[0], 2, 1); // same here
-    $mail_parts[1] = implode('.', $domain_parts);
-
-    return implode('@', $mail_parts);
-}

website/app/GeoKrety/Service/Config.php

@@ -272,11 +272,6 @@ public function __construct() {
         define('GK_AUDIT_LOGS_EXCLUDE_PATH_BYPASS', !GK_IS_PRODUCTION && filter_var(getenv('GK_AUDIT_LOGS_EXCLUDE_PATH_BYPASS'), FILTER_VALIDATE_BOOLEAN));
         define('GK_AUDIT_LOGS_EXCLUDE_PATH', [
             '/auth',
-            '/login',
-            '/api-login2secid',
-            '/update-password',
-            '/recover-password/',
-            '/registration/',
         ]);
         define('GK_AUDIT_LOGS_EXCLUDE_RETENTION_DAYS', getenv('GK_AUDIT_LOGS_EXCLUDE_RETENTION_DAYS') ?: 90);
         define('GK_AUDIT_POST_EXCLUDE_RETENTION_DAYS', getenv('GK_AUDIT_POST_EXCLUDE_RETENTION_DAYS') ?: 90);

website/app/GeoKrety/Service/Mask.php

@@ -0,0 +1,25 @@
+<?php
+
+namespace GeoKrety\Service;
+
+class Mask {
+    // Function from: https://stackoverflow.com/a/45944844/944936
+    public static function mask($str, $first, $last) {
+        $len = strlen($str);
+        $toShow = $first + $last;
+
+        return substr($str, 0, $len <= $toShow ? 0 : $first).str_repeat('*', $len - ($len <= $toShow ? 0 : $toShow)).substr($str, $len - $last, $len <= $toShow ? 0 : $last);
+    }
+
+    // Function from: https://stackoverflow.com/a/45944844/944936
+    public static function mask_email($email) {
+        $mail_parts = explode('@', $email);
+        $domain_parts = explode('.', $mail_parts[1]);
+
+        $mail_parts[0] = self::mask($mail_parts[0], 2, 1); // show first 2 letters and last 1 letter
+        $domain_parts[0] = self::mask($domain_parts[0], 2, 1); // same here
+        $mail_parts[1] = implode('.', $domain_parts);
+
+        return implode('@', $mail_parts);
+    }
+}

website/app/shutdown.php

@@ -51,7 +51,32 @@ function shutdown_audit_post(Base $f3) {
         if ($has_route_match === 0 || GK_AUDIT_LOGS_EXCLUDE_PATH_BYPASS) {
             $audit = new \GeoKrety\Model\AuditPost();
             $audit->route = $f3->PATH;
-            $audit->payload = json_encode($f3->get('POST')); // As safety guard, replace any *password* but placeholder (what about other patterns?)
+            // As safety guard, replace any *password* but placeholder
+            $data = $f3->get('POST');
+
+            if (array_key_exists('password', $data)) {
+                $data['password'] = \GeoKrety\Service\Mask::mask($data['password'], 0, 0);
+            }
+            if (array_key_exists('password_confirm', $data)) {
+                $data['password_confirm'] = \GeoKrety\Service\Mask::mask($data['password_confirm'], 0, 0);
+            }
+            if (array_key_exists('password_old', $data)) {
+                $data['password_old'] = \GeoKrety\Service\Mask::mask($data['password_old'], 0, 0);
+            }
+            if (array_key_exists('password_new', $data)) {
+                $data['password_new'] = \GeoKrety\Service\Mask::mask($data['password_new'], 0, 0);
+            }
+            if (array_key_exists('password_new_confirm', $data)) {
+                $data['password_new_confirm'] = \GeoKrety\Service\Mask::mask($data['password_new_confirm'], 0, 0);
+            }
+            if (array_key_exists('secid', $data)) {
+                $data['secid'] = \GeoKrety\Service\Mask::mask($data['secid'], 3, 3);
+            }
+            if (array_key_exists('email', $data)) {
+                $data['email'] = \GeoKrety\Service\Mask::mask_email($data['email']);
+            }
+
+            $audit->payload = json_encode($data);
             try {
                 $audit->save();
                 $f3->set('AUDIT_POST_ID', $audit->id);