Username/Email is passed as clear GET Parameter to CheckEmailAction on password reset process

[BA-JBI]

Subject

When filling username or email address in Password reset action this value is passed as plain GET parameter to Redirect.

SonataUserBundle/src/Action/RequestAction.php

Lines 69 to 71 in 35fe4f6

	return new RedirectResponse($this->urlGenerator->generate('sonata_user_admin_resetting_check_email', [
	'username' => $username,
	]));

This may cause privacy problems because most server logs are not configured by default to filter or anonymize GET parameters from logfiles.

Expected results

As there is no need to pass this value as plain value, a minimal invasive solution would be hashing it, before generating the redirect url.

This should NOT be a breaking change, because the only use of this value is the following code:

SonataUserBundle/src/Action/CheckEmailAction.php

Lines 37 to 39 in 35fe4f6

	$username = $request->query->get('username');
	if (null === $username) {

If you nevertheless think this may be breaking because anyone could have overridden the CheckEmailAction and uses the username value there, i suppose at least to make it configurable if the value is hashed or not.

Please let me know what you think, so i can suppose a pull requst

[Hanmac]

I mean, is the username really needed? 🤷‍♂️

The CheckEmailAction only says "You! Check your e-mails". it doesn't use the username at all? Only checks if the parameter exists?

[BA-JBI]

I mean, is the username really needed?

I do NOT need it. And if the condition in CheckEmailAction should stay in future, a boolean flag would be enough.

[Hanmac]

@VincentLanglet what is your opinion? Does the CheckEmailAction need to have username param?

[VincentLanglet]

You can drop it and if tests passed, it'll be merged

[Hanmac]

@BA-JBI do you want to make the PR or should i do it?