forked from mystiq/dex
fix a bug in hash comparison function
the client secret coming in should be hashed and the one in storage is the one in plaintext Signed-off-by: Rui Yang <ruiya@vmware.com>
This commit is contained in:
parent
d658c24e8f
commit
ecea593ddd
2 changed files with 3 additions and 3 deletions
|
@ -683,7 +683,7 @@ func (s *Server) handleToken(w http.ResponseWriter, r *http.Request) {
|
|||
}
|
||||
|
||||
if s.hashClientSecret {
|
||||
if err := bcrypt.CompareHashAndPassword([]byte(client.Secret), []byte(clientSecret)); err != nil {
|
||||
if err := bcrypt.CompareHashAndPassword([]byte(clientSecret), []byte(client.Secret)); err != nil {
|
||||
s.tokenErrHelper(w, errInvalidClient, "Invalid client credentials.", http.StatusUnauthorized)
|
||||
return
|
||||
}
|
||||
|
|
|
@ -1681,7 +1681,7 @@ func TestClientSecretEncryption(t *testing.T) {
|
|||
// Create the OAuth2 config.
|
||||
oauth2Config = &oauth2.Config{
|
||||
ClientID: clientID,
|
||||
ClientSecret: clientSecret,
|
||||
ClientSecret: string(hash),
|
||||
Endpoint: p.Endpoint(),
|
||||
Scopes: requestedScopes,
|
||||
}
|
||||
|
@ -1728,7 +1728,7 @@ func TestClientSecretEncryption(t *testing.T) {
|
|||
// Regester the client above with dex.
|
||||
client := storage.Client{
|
||||
ID: clientID,
|
||||
Secret: string(hash),
|
||||
Secret: clientSecret,
|
||||
RedirectURIs: []string{oauth2Client.URL + "/callback"},
|
||||
}
|
||||
if err := s.storage.CreateClient(client); err != nil {
|
||||
|
|
Loading…
Reference in a new issue