Merge pull request #243 from creative-commoners/pulls/4.0/do-not-store-password

FIX SessionStore no longer persists the member's password during MFA login

Author: NightJar

docs/en/datastores.md

@@ -15,3 +15,19 @@ SilverStripe\Core\Injector\Injector:
 
 Please note that the store should always be treated as a server side implementation. It's not a good idea to implement
 a client store e.g. cookies.
+
+## Adjusting what goes into the store
+
+By default, the entire HTTPRequest object is saved to the store during the multi-factor authentication process. We
+exclude the `Password` field from the request by default, but if you need to exclude other fields, you can add an
+extension, for example:
+
+```php
+// Apply extension to \SilverStripe\MFA\Authenticator\LoginHandler
+class MyLoginHandlerExtension extends Extension
+{
+    public function onBeforeSaveRequestToStore(HTTPRequest $request, StoreInterface $store): void
+    {
+        $request->offsetUnset('MySecretField');
+    }
+```

src/Authenticator/LoginHandler.php

@@ -96,6 +96,11 @@ public function doLogin($data, MemberLoginForm $form, HTTPRequest $request)
 
         // Create a store for handling MFA for this member
         $store = $this->createStore($member);
+        // We don't need to store the user's password
+        $request->offsetUnset('Password');
+        // User code may adjust the request properties further if they have their own sensitive data which
+        // should be excluded from the store.
+        $this->extend('onBeforeSaveRequestToStore', $request, $store);
         $store->save($request);
 
         // Store the BackURL for use after the process is complete