GHSA-j72f-h752-mx4w

### Impact
If successful login attempts are recorded, the raw tokens are stored in the log table.
If a malicious person somehow views the data in the log table, he or she can obtain a raw token, which can then be used to send a request with that user's authority.

When you (1) **use the following authentiactors**,
- [AccessTokens](https://codeigniter4.github.io/shield/references/authentication/tokens/) (`tokens`)
- [JWT](https://codeigniter4.github.io/shield/addons/jwt/) (`jwt`)
- [HmacSha256](https://codeigniter4.github.io/shield/references/authentication/hmac/) (`hmac`)

and you (2) **log successful login attempts**, the raw tokens are stored.

### Patches
Upgrade to Shield v1.0.0-beta.8 or later.

### Workarounds
Disable logging for successful login attempts by the configuration files.

- AccessTokens or HmacSha256
- Set `Config\AuthToken::$recordLoginAttempt` to `Auth::RECORD_LOGIN_ATTEMPT_FAILURE` or `Auth::RECORD_LOGIN_ATTEMPT_NONE`
- JWT
- Set `Config\AuthJWT::$recordLoginAttempt` to `Auth::RECORD_LOGIN_ATTEMPT_FAILURE` or `Auth::RECORD_LOGIN_ATTEMPT_NONE`

### References
- https://codeigniter4.github.io/shield/getting_started/authenticators/

### For more information
If you have any questions or comments about this advisory:
* Open an issue or discussion in [codeigniter4/shield](https://github.com/codeigniter4/shield)
* Email us at [[email protected]](mailto:[email protected])