Skip to content
docsv0.1.0

Credential

An opaque wrapper around a raw secret (a bearer token, a session cookie value, …) plus its {@see self::$type}. Its whole reason to exist is that the raw value MUST NOT leak: it is the one thing in the system that, printed to a log or an error, hands an attacker the keys. It uses the idiomatic modern-PHP shape for a secret-bearing value object: the value is a `private readonly` property marked `#[\SensitiveParameter]` at construction (so it is redacted from stack-trace argument dumps), {@see self::__debugInfo()} redacts it (so `print_r`/`var_dump` render `['type' => …, 'value' => '[redacted]']`), both {@see self::__serialize()} and {@see self::__clone()} refuse outright (a secret must never survive serialization — a record rebuilt with `'[redacted]'` would be a silent bomb, so we fail loudly instead). There is deliberately NO `__toString()`: casting a Credential to a string is a bug, and must raise an Error rather than quietly hand back — or leak — the secret. The one deliberate exit is {@see self::value()}, for the verifier that actually has to check the secret. Treat any other appearance of the raw value as a security bug.

Credential::__construct()

public function __construct(string $value, Milpa\Auth\CredentialType $type):

Parameters

Parameters of __construct()
NameTypeDescription
$valuestring
$typeMilpa\Auth\CredentialType

Credential::bearer()

public static function bearer(string $value): self

A bearer-token credential — the `Authorization: Bearer …` case.

Parameters

Parameters of bearer()
NameTypeDescription
$valuestring
public static function cookie(string $value): self

A cookie credential — the session-cookie case.

Parameters

Parameters of cookie()
NameTypeDescription
$valuestring

Credential::value()

public function value(): string

Credential::__debugInfo()

public function __debugInfo(): array

Credential::__serialize()

public function __serialize(): array

Throws

\LogicException always

Credential::__clone()

public function __clone(): void