Description

When using the login throttling feature, username and IP may appear in the debug logs (e.g. when an error occurs in prod with fingers_crossed logger):

Successfully acquired the "username_ip_login-random.username-1.2.3.4" lock.
Expiration defined for "username_ip_login-random.username-1.2.3.4" lock for "300" seconds.

What do you think about (optionally) masking these information? For example by adding a MaskingLoginRateLimiter in addition to the DefaultLoginRateLimiter. A straight forward approach would be to use a hash of username and client ip as the key for the limiter(s).

This would not only mask the log messages but would impact all appearances of the keys, e.g. in storage. This might be an advantage or a disadvantage. Although, at least the PdoStore hashes the key anyway. The Lock class, where the logs originate, seems to be the wrong place for tweaking, as it's (and should not be) aware of the content of the key.

Another approach, probably on application level, would be a monolog processor, which replaces the username and client ip, but this seems less efficient and not that robust.

Example

protected function getLimiters(Request $request): array
{
    $username = $request->attributes->get(Security::LAST_USERNAME, '');

    $globalKey = hash('sha256', $request->getClientIp());
    $localKey = hash('sha256', $username.'-'.$request->getClientIp());

    return [
        $this->globalFactory->create($globalKey),
        $this->localFactory->create($localKey),
    ];
}