obscure admin password to not exploit full password

Marcel Hauri · Marcel Hauri · commit c55fa4169ae4 · 2017-07-26T10:42:54.000+02:00
diff --git a/Events/Admin/AdminUserAuthenticate.php b/Events/Admin/AdminUserAuthenticate.php
@@ -8,12 +8,32 @@
 
 namespace Staempfli\ChatConnector\Events\Admin;
 
+use Magento\Framework\App\RequestInterface;
+use Magento\Framework\Event\ManagerInterface;
 use Magento\Framework\Event\Observer;
 use Magento\Framework\Event\ObserverInterface;
 use Staempfli\ChatConnector\Events\Events;
 
 class AdminUserAuthenticate extends Events implements ObserverInterface
 {
+    /**
+     * @var \Magento\Framework\App\Request\Http
+     */
+    private $request;
+
+    /**
+     * AdminUserAuthenticate constructor.
+     * @param RequestInterface $request
+     * @param ManagerInterface $eventManager
+     */
+    public function __construct(
+        RequestInterface $request,
+        ManagerInterface $eventManager
+    ) {
+        parent::__construct($eventManager);
+        $this->request = $request;
+    }
+
     /**
      * @param Observer $observer
      * @return void
@@ -22,10 +42,25 @@ public function execute(\Magento\Framework\Event\Observer $observer)
     {
         if (!$observer->getResult()) {
             $this->notify(__(
-                "<strong>Admin user login failed!</strong>\n Username: %1 \n Password: %2",
+                "<strong>Admin user login failed!</strong>\n Username: %1 \n Password: %2 \n IP: %3",
                 $observer->getUsername(),
-                $observer->getPassword()
+                $this->getObscuredPassword($observer->getPassword()),
+                $this->request->getServer('REMOTE_ADDR')
             ));
         }
     }
+
+    /**
+     * @param string $password
+     * @return string
+     */
+    private function getObscuredPassword(string $password)
+    {
+        $passwordLength = strlen($password);
+        return sprintf('%s%s%s',
+            substr($password, 0, 1),
+            str_repeat('*', ($passwordLength - 2)),
+            substr($password, -1)
+        );
+    }
 }
diff --git a/i18n/en_US.csv b/i18n/en_US.csv
@@ -1,3 +1,3 @@
-"<strong>Admin user login failed!</strong>\n Username: [%1] \n Password: [%2]","<strong>Admin user login failed!</strong>\n Username: [%1] \n Password: [%2]"
+"<strong>Admin user login failed!</strong>\n Username: %1 \n Password: %2 \n IP: %3","<strong>Admin user login failed!</strong>\n Username: %1 \n Password: %2 \n IP: %3"
 "<strong>New Admin User was created!</strong>\n Username: %1 \n First Name: %2 \n Last Name: %3 \n E-Mail: %4","<strong>New Admin User was created!</strong>\n Username: %1 \n First Name: %2 \n Last Name: %3 \n E-Mail: %4"
 "<strong>A new order has been placed.</strong>\n<strong>Order ID:</strong> %1\n<strong>Name:</strong> %2\n<strong>Subtotal:</strong> %3\n<strong>Shipping & Handling:</strong> %4\n <strong>Grand Total:</strong> %5","<strong>A new order has been placed.</strong>\n<strong>Order ID:</strong> %1\n<strong>Name:</strong> %2\n<strong>Subtotal:</strong> %3\n<strong>Shipping & Handling:</strong> %4\n <strong>Grand Total:</strong> %5"
