feat(crypto): use passwap for machine and app secrets (#7657)

* feat(crypto): use passwap for machine and app secrets

* fix command package tests

* add hash generator command test

* naming convention, fix query tests

* rename PasswordHasher and cleanup start commands

* add reducer tests

* fix intergration tests, cleanup old config

* add app secret unit tests

* solve setup panics

* fix push of updated events

* add missing event translations

* update documentation

* solve linter errors

* remove nolint:SA1019 as it doesn't seem to help anyway

* add nolint to deprecated filter usage

* update users migration version

* remove unused ClientSecret from APIConfigChangedEvent

---------

Co-authored-by: Livio Spring <livio.a@gmail.com>

internal/command/user_machine_model.go

@@ -18,8 +18,7 @@ type MachineWriteModel struct {
 	Description     string
 	UserState       domain.UserState
 	AccessTokenType domain.OIDCTokenType
-
-	ClientSecret *crypto.CryptoValue
+	HashedSecret    string
 }
 
 func NewMachineWriteModel(userID, resourceOwner string) *MachineWriteModel {
@@ -71,9 +70,11 @@ func (wm *MachineWriteModel) Reduce() error {
 		case *user.UserRemovedEvent:
 			wm.UserState = domain.UserStateDeleted
 		case *user.MachineSecretSetEvent:
-			wm.ClientSecret = e.ClientSecret
+			wm.HashedSecret = crypto.SecretOrEncodedHash(e.ClientSecret, e.HashedSecret)
 		case *user.MachineSecretRemovedEvent:
-			wm.ClientSecret = nil
+			wm.HashedSecret = ""
+		case *user.MachineSecretHashUpdatedEvent:
+			wm.HashedSecret = e.HashedSecret
 		}
 	}
 	return wm.WriteModel.Reduce()
@@ -94,8 +95,9 @@ func (wm *MachineWriteModel) Query() *eventstore.SearchQueryBuilder {
 			user.UserReactivatedType,
 			user.UserRemovedType,
 			user.MachineSecretSetType,
-			user.MachineSecretRemovedType).
-		Builder()
+			user.MachineSecretRemovedType,
+			user.MachineSecretHashUpdatedType,
+		).Builder()
 }
 
 func (wm *MachineWriteModel) NewChangedEvent(