Merge remote-tracking branch 'origin/v4-api-oauth' into v4-api-sequences

n7studios · n7studios · commit e3db3670b09c · 2024-03-21T09:39:00.000Z
# Conflicts:
#	src/ConvertKit_API.php
diff --git a/README.md b/README.md
@@ -39,7 +39,7 @@ If you use Composer, these dependencies should be handled automatically.
 
 ### 2.x (v4 API, OAuth, PHP 8.0+)
 
-Get your ConvertKit OAuth Client ID and Secret, and set it somewhere in your application.
+Please reach out to ConvertKit to set up an OAuth application for you. We'll provide you with your Client ID and Secret.
 
 ```php
 // Require the autoloader (if you're using a PHP framework, this may already be done for you).
diff --git a/src/ConvertKit_API.php b/src/ConvertKit_API.php
@@ -28,21 +28,21 @@ class ConvertKit_API
     /**
      * ConvertKit OAuth Application Client ID
      *
-     * @var boolean|string
+     * @var string
      */
-    protected $client_id = false;
+    protected $client_id = '';
 
     /**
      * ConvertKit OAuth Application Client Secret
      *
-     * @var boolean|string
+     * @var string
      */
-    protected $client_secret = false;
+    protected $client_secret = '';
 
     /**
      * Access Token
      *
-     * @var boolean|string
+     * @var string
      */
     protected $access_token = '';
 
@@ -174,8 +174,34 @@ private function create_log(string $message)
             return;
         }
 
+        // Mask the Client ID, Client Secret and Access Token.
+        $message = str_replace(
+            $this->client_id,
+            str_repeat('*', (strlen($this->client_id) - 4)) . substr($this->client_id, - 4),
+            $message
+        );
+        $message = str_replace(
+            $this->client_secret,
+            str_repeat('*', (strlen($this->client_secret) - 4)) . substr($this->client_secret, - 4),
+            $message
+        );
+        $message = str_replace(
+            $this->access_token,
+            str_repeat('*', (strlen($this->access_token) - 4)) . substr($this->access_token, - 4),
+            $message
+        );
+
+        // Mask email addresses that may be contained within the message.
+        $message = preg_replace_callback(
+            '^[_a-z0-9-]+(\.[_a-z0-9-]+)*@[a-z0-9-]+(\.[a-z0-9-]+)*(\.[a-z]{2,3})^',
+            function ($matches) {
+                return preg_replace('/\B[^@.]/', '*', $matches[0]);
+            },
+            $message
+        );
+
         // Add to log.
-        $this->debug_logger->info($message);
+        $this->debug_logger->info((string) $message);
     }
 
     /**
@@ -1536,7 +1562,7 @@ private function strip_html_head_body_tags(string $markup)
      * @return array<string, string|integer>
      */
     private function build_pagination_params(
-        array $params = [],
+        array $params,
         string $after_cursor = '',
         string $before_cursor = '',
         int $per_page = 100
diff --git a/tests/ConvertKitAPITest.php b/tests/ConvertKitAPITest.php
@@ -151,6 +151,65 @@ public function testDebugEnabledWithCustomLogFile()
         $this->assertStringContainsString('ck-debug.INFO: Finish request successfully', $this->getLogFileContents());
     }
 
+    /**
+     * Test that debug logging works when enabled and an API call is made, with email addresses and credentials
+     * masked in the log file.
+     *
+     * @since   2.0.0
+     *
+     * @return  void
+     */
+    public function testDebugCredentialsAndEmailsAreMasked()
+    {
+        // Setup API with debugging enabled.
+        $api = new ConvertKit_API(
+            clientID: $_ENV['CONVERTKIT_OAUTH_CLIENT_ID'],
+            clientSecret: $_ENV['CONVERTKIT_OAUTH_CLIENT_SECRET'],
+            accessToken: $_ENV['CONVERTKIT_OAUTH_ACCESS_TOKEN'],
+            debug: true
+        );
+
+        // Create log entries with Client ID, Client Secret, Access Token and Email Address, as if an API method
+        // were to log this sensitive data.
+        $this->callPrivateMethod($api, 'create_log', ['Client ID: ' . $_ENV['CONVERTKIT_OAUTH_CLIENT_ID']]);
+        $this->callPrivateMethod($api, 'create_log', ['Client Secret: ' . $_ENV['CONVERTKIT_OAUTH_CLIENT_SECRET']]);
+        $this->callPrivateMethod($api, 'create_log', ['Access Token: ' . $_ENV['CONVERTKIT_OAUTH_ACCESS_TOKEN']]);
+        $this->callPrivateMethod($api, 'create_log', ['Email: ' . $_ENV['CONVERTKIT_API_SUBSCRIBER_EMAIL']]);
+
+        // Confirm that the log includes the masked Client ID, Secret, Access Token and Email Address.
+        $this->assertStringContainsString(
+            str_repeat(
+                '*',
+                (strlen($_ENV['CONVERTKIT_OAUTH_CLIENT_ID']) - 4)
+            ) . substr($_ENV['CONVERTKIT_OAUTH_CLIENT_ID'], -4),
+            $this->getLogFileContents()
+        );
+        $this->assertStringContainsString(
+            str_repeat(
+                '*',
+                (strlen($_ENV['CONVERTKIT_OAUTH_CLIENT_SECRET']) - 4)
+            ) . substr($_ENV['CONVERTKIT_OAUTH_CLIENT_SECRET'], -4),
+            $this->getLogFileContents()
+        );
+        $this->assertStringContainsString(
+            str_repeat(
+                '*',
+                (strlen($_ENV['CONVERTKIT_OAUTH_ACCESS_TOKEN']) - 4)
+            ) . substr($_ENV['CONVERTKIT_OAUTH_ACCESS_TOKEN'], -4),
+            $this->getLogFileContents()
+        );
+        $this->assertStringContainsString(
+            'o****@n********.c**',
+            $this->getLogFileContents()
+        );
+
+        // Confirm that the log does not include the unmasked Client ID, Secret, Access Token or Email Address.
+        $this->assertStringNotContainsString($_ENV['CONVERTKIT_OAUTH_CLIENT_ID'], $this->getLogFileContents());
+        $this->assertStringNotContainsString($_ENV['CONVERTKIT_OAUTH_CLIENT_SECRET'], $this->getLogFileContents());
+        $this->assertStringNotContainsString($_ENV['CONVERTKIT_OAUTH_ACCESS_TOKEN'], $this->getLogFileContents());
+        $this->assertStringNotContainsString($_ENV['CONVERTKIT_API_SUBSCRIBER_EMAIL'], $this->getLogFileContents());
+    }
+
     /**
      * Test that debug logging is not performed when disabled and an API call is made.
      *
@@ -2598,6 +2657,23 @@ private function getLogFileContents()
         return file_get_contents($this->logFile);
     }
 
+    /**
+     * Helper method to call a class' private method.
+     *
+     * @since   2.0.0
+     *
+     * @param   mixed  $obj  Class Object.
+     * @param   string $name Method Name.
+     * @param   array  $args Method Arguments.
+     */
+    private function callPrivateMethod($obj, $name, array $args)
+    {
+        $class = new \ReflectionClass($obj);
+        $method = $class->getMethod($name);
+        $method->setAccessible(true);
+        return $method->invokeArgs($obj, $args);
+    }
+
     /**
      * Generates a unique email address for use in a test, comprising of a prefix,
      * date + time and PHP version number.
