feat(php): masking (#1075)

| 🚥 Resolves [RM-8742](https://linear.app/readme-io/issue/RM-8742) | | :------------------- | ## 🧰 Changes Adds sensitive data masking to the PHP SDK The logic is the same as we will have in Python SDK (PR #955)
readmeio · Sep 23, 2024 · ec245cd · ec245cd
1 parent 0fe27da
commit ec245cd
Show file tree

Hide file tree

Showing 4 changed files with 24 additions and 5 deletions.
diff --git a/Makefile b/Makefile
@@ -54,12 +54,12 @@ test-metrics-node-hapi: ## Run Metrics tests against the Node SDK + hapi
 
 test-metrics-php-laravel: ## Run Metrics tests against the PHP SDK + Laravel
  docker compose up --build --detach integration_php_laravel
- SUPPORTS_MULTIPART=true npm run test:integration-metrics || make cleanup-failure
+ SUPPORTS_HASHING=true SUPPORTS_MULTIPART=true npm run test:integration-metrics || make cleanup-failure
  @make cleanup
 
 test-webhooks-php-laravel: ## Run webhooks tests against the PHP SDK + Laravel
  docker compose up --detach integration_php_laravel
- SUPPORTS_MULTIPART=true npm run test:integration-webhooks || make cleanup-failure
+ SUPPORTS_HASHING=true SUPPORTS_MULTIPART=true npm run test:integration-webhooks || make cleanup-failure
  @make cleanup
 
 ##

diff --git a/packages/php/src/HAR/MaskHelper.php b/packages/php/src/HAR/MaskHelper.php
@@ -0,0 +1,14 @@
+<?php
+
+namespace ReadMe\HAR;
+
+class MaskHelper
+{
+ public static function mask(string $data): string
+ {
+ $hashBytes = hash('sha512', $data, true);
+ $base64Hash = base64_encode($hashBytes);
+ $opts = substr($data, -4);
+ return 'sha512-' . $base64Hash . '?' . $opts;
+ }
+}
diff --git a/packages/php/src/HAR/Payload.php b/packages/php/src/HAR/Payload.php
@@ -33,7 +33,7 @@ public function create(string $log_id, Request $request, Response $response): ar
  if ($api_key_exists) {
  // Swap the externally documented `api_key` field into backwards compatible and
  // internally used `id` field.
- $group['id'] = $group['api_key'];
+ $group['id'] = MaskHelper::mask($group['api_key']);
  unset($group['api_key']);
  }
 
@@ -334,10 +334,14 @@ protected static function convertHeaderBagToArray(HeaderBag $headers): array
  /** @psalm-suppress PossiblyNullIterator */
  foreach ($values as $value) {
  // If the header is empty, don't worry about it.
- if ($value === '') {
+ if ($value === '' || $value === null) {
  continue; // @codeCoverageIgnore
  }
 
+ if (strtolower($name) === 'authorization') {
+ $value = MaskHelper::mask($value);
+ }
+
  $output[] = [
  'name' => $name,
  'value' => $value

diff --git a/packages/php/tests/HAR/PayloadTest.php b/packages/php/tests/HAR/PayloadTest.php
@@ -125,7 +125,8 @@ public function testCreate(): void
  $this->assertSame('fake-uuid', $har['_id']);
 
  $this->assertEqualsCanonicalizing([
- 'id' => '123457890',
+ 'id' => 'sha512-UrMmjaetxGbu6QkwzYAH9h4c1dzTNIy3CV1lBuHSb0TNlTmrgUUzTRINiCPah7ObWnOiqVXUlVjQD14gblqlPA=='
+ . '?7890',
  'label' => 'username',
  'email' => '[email protected]'
  ], $har['group']);