feat(crypto): use passwap for machine and app secrets (#7657)

* feat(crypto): use passwap for machine and app secrets * fix command package tests * add hash generator command test * naming convention, fix query tests * rename PasswordHasher and cleanup start commands * add reducer tests * fix intergration tests, cleanup old config * add app secret unit tests * solve setup panics * fix push of updated events * add missing event translations * update documentation * solve linter errors * remove nolint:SA1019 as it doesn't seem to help anyway * add nolint to deprecated filter usage * update users migration version * remove unused ClientSecret from APIConfigChangedEvent --------- Co-authored-by: Livio Spring <livio.a@gmail.com>
2025-08-12 03:27:32 +00:00 · 2024-04-05 12:35:49 +03:00
parent 5931fb8f28
commit 2089992d75
135 changed files with 2407 additions and 1779 deletions
--- a/internal/api/oidc/client.go
+++ b/internal/api/oidc/client.go
@@ -1050,8 +1050,13 @@ func (s *Server) verifyClientSecret(ctx context.Context, client *query.OIDCClien
 	if secret == "" {
 		return oidc.ErrInvalidClient().WithDescription("empty client secret")
 	}
-	if err = crypto.CompareHash(client.ClientSecret, []byte(secret), s.hashAlg); err != nil {
+	ctx, spanPasswordComparison := tracing.NewNamedSpan(ctx, "passwap.Verify")
+	updated, err := s.hasher.Verify(client.HashedSecret, secret)
+	spanPasswordComparison.EndWithError(err)
+	if err != nil {
+		s.command.OIDCSecretCheckFailed(ctx, client.AppID, client.ProjectID, client.Settings.ResourceOwner)
 		return oidc.ErrInvalidClient().WithParent(err).WithDescription("invalid secret")
 	}
+	s.command.OIDCSecretCheckSucceeded(ctx, client.AppID, client.ProjectID, client.Settings.ResourceOwner, updated)
 	return nil
 }