Arsharth/dex
1
0
Fork 0
forked from mystiq/dex
Code Issues Pull requests Projects Releases Packages Wiki Activity

fix a bug in hash comparison function

Browse source 
the client secret coming in should be hashed and the one in storage
is the one in plaintext

Signed-off-by: Rui Yang <ruiya@vmware.com>
This commit is contained in:
Rui Yang 2021-05-14 13:32:27 -04:00
parent d658c24e8f
commit ecea593ddd
2 changed files with 3 additions and 3 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
server/handlers.go
View file

@ -683,7 +683,7 @@ func (s *Server) handleToken(w http.ResponseWriter, r *http.Request) {
} }
if s.hashClientSecret { if s.hashClientSecret {
if err := bcrypt.CompareHashAndPassword([]byte(client.Secret), []byte(clientSecret)); err != nil { if err := bcrypt.CompareHashAndPassword([]byte(clientSecret), []byte(client.Secret)); err != nil {
s.tokenErrHelper(w, errInvalidClient, "Invalid client credentials.", http.StatusUnauthorized) s.tokenErrHelper(w, errInvalidClient, "Invalid client credentials.", http.StatusUnauthorized)
return return
} }

4
server/server_test.go
View file

@ -1681,7 +1681,7 @@ func TestClientSecretEncryption(t *testing.T) {
// Create the OAuth2 config. // Create the OAuth2 config.
oauth2Config = &oauth2.Config{ oauth2Config = &oauth2.Config{
ClientID: clientID, ClientID: clientID,
ClientSecret: clientSecret, ClientSecret: string(hash),
Endpoint: p.Endpoint(), Endpoint: p.Endpoint(),
Scopes: requestedScopes, Scopes: requestedScopes,
} }
@ -1728,7 +1728,7 @@ func TestClientSecretEncryption(t *testing.T) {
// Regester the client above with dex. // Regester the client above with dex.
client := storage.Client{ client := storage.Client{
ID: clientID, ID: clientID,
Secret: string(hash), Secret: clientSecret,
RedirectURIs: []string{oauth2Client.URL + "/callback"}, RedirectURIs: []string{oauth2Client.URL + "/callback"},
} }
if err := s.storage.CreateClient(client); err != nil { if err := s.storage.CreateClient(client); err != nil {