feat(crypto): use passwap for machine and app secrets (#7657)

* feat(crypto): use passwap for machine and app secrets

* fix command package tests

* add hash generator command test

* naming convention, fix query tests

* rename PasswordHasher and cleanup start commands

* add reducer tests

* fix intergration tests, cleanup old config

* add app secret unit tests

* solve setup panics

* fix push of updated events

* add missing event translations

* update documentation

* solve linter errors

* remove nolint:SA1019 as it doesn't seem to help anyway

* add nolint to deprecated filter usage

* update users migration version

* remove unused ClientSecret from APIConfigChangedEvent

---------

Co-authored-by: Livio Spring <livio.a@gmail.com>

internal/query/oidc_client_test.go

@@ -11,7 +11,6 @@ import (
 	"github.com/stretchr/testify/require"
 
 	"github.com/zitadel/zitadel/internal/api/authz"
-	"github.com/zitadel/zitadel/internal/crypto"
 	"github.com/zitadel/zitadel/internal/database"
 	"github.com/zitadel/zitadel/internal/domain"
 	"github.com/zitadel/zitadel/internal/zerrors"
@@ -66,7 +65,7 @@ low2kyJov38V4Uk2I8kuXpLcnrpw5Tio2ooiUE27b0vHZqBKOei9Uo88qCrn3EKx
 				AppID:                    "236647088211886082",
 				State:                    domain.AppStateActive,
 				ClientID:                 "236647088211951618@tests",
-				ClientSecret:             nil,
+				HashedSecret:             "",
 				RedirectURIs:             []string{"http://localhost:9999/auth/callback"},
 				ResponseTypes:            []domain.OIDCResponseType{domain.OIDCResponseTypeCode},
 				GrantTypes:               []domain.OIDCGrantType{domain.OIDCGrantTypeAuthorizationCode, domain.OIDCGrantTypeRefreshToken},
@@ -97,7 +96,7 @@ low2kyJov38V4Uk2I8kuXpLcnrpw5Tio2ooiUE27b0vHZqBKOei9Uo88qCrn3EKx
 				AppID:                    "236646457053020162",
 				State:                    domain.AppStateActive,
 				ClientID:                 "236646457053085698@tests",
-				ClientSecret:             nil,
+				HashedSecret:             "",
 				RedirectURIs:             []string{"http://localhost:9999/auth/callback"},
 				ResponseTypes:            []domain.OIDCResponseType{domain.OIDCResponseTypeCode},
 				GrantTypes:               []domain.OIDCGrantType{domain.OIDCGrantTypeAuthorizationCode},
@@ -124,15 +123,11 @@ low2kyJov38V4Uk2I8kuXpLcnrpw5Tio2ooiUE27b0vHZqBKOei9Uo88qCrn3EKx
 			name: "secret client",
 			mock: mockQuery(expQuery, cols, []driver.Value{testdataOidcClientSecret}, "instanceID", "clientID", true),
 			want: &OIDCClient{
-				InstanceID: "230690539048009730",
-				AppID:      "236646858984783874",
-				State:      domain.AppStateActive,
-				ClientID:   "236646858984849410@tests",
-				ClientSecret: &crypto.CryptoValue{
-					CryptoType: crypto.TypeHash,
-					Algorithm:  "bcrypt",
-					Crypted:    []byte(`$2a$14$OzZ0XEZZEtD13py/EPba2evsS6WcKZ5orVMj9pWHEGEHmLu2h3PFq`),
-				},
+				InstanceID:               "230690539048009730",
+				AppID:                    "236646858984783874",
+				State:                    domain.AppStateActive,
+				ClientID:                 "236646858984849410@tests",
+				HashedSecret:             "$2a$14$OzZ0XEZZEtD13py/EPba2evsS6WcKZ5orVMj9pWHEGEHmLu2h3PFq",
 				RedirectURIs:             []string{"http://localhost:9999/auth/callback"},
 				ResponseTypes:            []domain.OIDCResponseType{0},
 				GrantTypes:               []domain.OIDCGrantType{0},
@@ -163,7 +158,7 @@ low2kyJov38V4Uk2I8kuXpLcnrpw5Tio2ooiUE27b0vHZqBKOei9Uo88qCrn3EKx
 				AppID:        "239520764276441090",
 				State:        domain.AppStateActive,
 				ClientID:     "239520764779364354@zitadel",
-				ClientSecret: nil,
+				HashedSecret: "",
 				RedirectURIs: []string{
 					"http://test2-qucuh5.localhost:9000/ui/console/auth/callback",
 					"http://test.localhost.com:9000/ui/console/auth/callback"},