WIP: Allow decrypting logins/credentials via the API

api/v1/credentials/create.php

@@ -27,4 +27,4 @@ if (!empty($api_key_decrypt_password) && !empty($name) && !(empty($password))) {
 }
 
 // Output
-require_once '../create_output.php';
+require_once '../create_output.php';

api/v1/credentials/credential_model.php

@@ -117,4 +117,4 @@ if (isset($_POST['login_software_id'])) {
     $software_id = $credential_row['login_software_id'];
 } else {
     $software_id = '';
-}
+}

api/v1/credentials/update.php

@@ -35,4 +35,4 @@ if (!empty($_POST['api_key_decrypt_password']) && !empty($login_id)) {
 }
 
 // Output
-require_once '../update_output.php';
+require_once '../update_output.php';

functions.php

@@ -380,10 +380,8 @@ function encryptLoginEntry($login_password_cleartext)
     return $iv . $ciphertext;
 }
 
-function apiDecryptLoginEntry($login_ciphertext, $api_key_decrypt_hash, $api_key_decrypt_password)
+function apiDecryptLoginEntry($login_ciphertext, $api_key_decrypt_hash, #[\SensitiveParameter]$api_key_decrypt_password)
 {
-    // TODO: try marking $api_key_decrypt_password as sensitive - new in PHP 8.2
-
     // Split the login entry (username/password) into IV and Ciphertext
     $login_iv =  substr($login_ciphertext, 0, 16);
     $login_ciphertext = $salt = substr($login_ciphertext, 16);
@@ -395,7 +393,7 @@ function apiDecryptLoginEntry($login_ciphertext, $api_key_decrypt_hash, $api_key
     return openssl_decrypt($login_ciphertext, 'aes-128-cbc', $site_encryption_master_key, 0, $login_iv);
 }
 
-function apiEncryptLoginEntry($credential_cleartext, $api_key_decrypt_hash, $api_key_decrypt_password)
+function apiEncryptLoginEntry(#[\SensitiveParameter]$credential_cleartext, $api_key_decrypt_hash, #[\SensitiveParameter]$api_key_decrypt_password)
 {
     $iv = randomString();