feat(php): masking (#1075)

AndriiAndreiev · web-flow · commit ec245cd5b8e9 · 2024-09-23T08:30:08.000-07:00
| 🚥 Resolves [RM-8742](https://linear.app/readme-io/issue/RM-8742) | | :------------------- | ## 🧰 Changes Adds sensitive data masking to the PHP SDK The logic is the same as we will have in Python SDK (PR #955)
diff --git a/Makefile b/Makefile
@@ -54,12 +54,12 @@ test-metrics-node-hapi: ## Run Metrics tests against the Node SDK + hapi
 
 test-metrics-php-laravel: ## Run Metrics tests against the PHP SDK + Laravel
 	docker compose up --build --detach integration_php_laravel
-	SUPPORTS_MULTIPART=true npm run test:integration-metrics || make cleanup-failure
+	SUPPORTS_HASHING=true SUPPORTS_MULTIPART=true npm run test:integration-metrics || make cleanup-failure
 	@make cleanup
 
 test-webhooks-php-laravel: ## Run webhooks tests against the PHP SDK + Laravel
 	docker compose up --detach integration_php_laravel
-	SUPPORTS_MULTIPART=true npm run test:integration-webhooks || make cleanup-failure
+	SUPPORTS_HASHING=true SUPPORTS_MULTIPART=true npm run test:integration-webhooks || make cleanup-failure
 	@make cleanup
 
 ##
diff --git a/packages/php/src/HAR/MaskHelper.php b/packages/php/src/HAR/MaskHelper.php
@@ -0,0 +1,14 @@
+<?php
+
+namespace ReadMe\HAR;
+
+class MaskHelper
+{
+    public static function mask(string $data): string
+    {
+        $hashBytes = hash('sha512', $data, true);
+        $base64Hash = base64_encode($hashBytes);
+        $opts = substr($data, -4);
+        return 'sha512-' . $base64Hash . '?' . $opts;
+    }
+}
diff --git a/packages/php/src/HAR/Payload.php b/packages/php/src/HAR/Payload.php
@@ -33,7 +33,7 @@ public function create(string $log_id, Request $request, Response $response): ar
         if ($api_key_exists) {
             // Swap the externally documented `api_key` field into backwards compatible and
             // internally used `id` field.
-            $group['id'] = $group['api_key'];
+            $group['id'] = MaskHelper::mask($group['api_key']);
             unset($group['api_key']);
         }
 
@@ -334,10 +334,14 @@ protected static function convertHeaderBagToArray(HeaderBag $headers): array
             /** @psalm-suppress PossiblyNullIterator */
             foreach ($values as $value) {
                 // If the header is empty, don't worry about it.
-                if ($value === '') {
+                if ($value === '' || $value === null) {
                     continue; // @codeCoverageIgnore
                 }
 
+                if (strtolower($name) === 'authorization') {
+                    $value = MaskHelper::mask($value);
+                }
+
                 $output[] = [
                     'name' => $name,
                     'value' => $value
diff --git a/packages/php/tests/HAR/PayloadTest.php b/packages/php/tests/HAR/PayloadTest.php
@@ -125,7 +125,8 @@ public function testCreate(): void
         $this->assertSame('fake-uuid', $har['_id']);
 
         $this->assertEqualsCanonicalizing([
-            'id' => '123457890',
+            'id' => 'sha512-UrMmjaetxGbu6QkwzYAH9h4c1dzTNIy3CV1lBuHSb0TNlTmrgUUzTRINiCPah7ObWnOiqVXUlVjQD14gblqlPA=='
+                . '?7890',
             'label' => 'username',
             'email' => 'email@example.com'
         ], $har['group']);
