fix a bug in hash comparison function

the client secret coming in should be hashed and the one in storage is the one in plaintext Signed-off-by: Rui Yang <ruiya@vmware.com>
2021-05-14 13:32:27 -04:00 · 2021-05-14 13:32:27 -04:00 · ecea593ddd
commit ecea593ddd
parent d658c24e8f
2 changed files with 3 additions and 3 deletions
--- a/server/handlers.go
+++ b/server/handlers.go
@ -683,7 +683,7 @@ func (s *Server) handleToken(w http.ResponseWriter, r *http.Request) {
 	}

 	if s.hashClientSecret {
-		if err := bcrypt.CompareHashAndPassword([]byte(client.Secret), []byte(clientSecret)); err != nil {
+		if err := bcrypt.CompareHashAndPassword([]byte(clientSecret), []byte(client.Secret)); err != nil {
 			s.tokenErrHelper(w, errInvalidClient, "Invalid client credentials.", http.StatusUnauthorized)
 			return
 		}
--- a/server/server_test.go
+++ b/server/server_test.go
@ -1681,7 +1681,7 @@ func TestClientSecretEncryption(t *testing.T) {
 	// Create the OAuth2 config.
 	oauth2Config = &oauth2.Config{
 		ClientID:     clientID,
-		ClientSecret: clientSecret,
+		ClientSecret: string(hash),
 		Endpoint:     p.Endpoint(),
 		Scopes:       requestedScopes,
 	}
@ -1728,7 +1728,7 @@ func TestClientSecretEncryption(t *testing.T) {
 	// Regester the client above with dex.
 	client := storage.Client{
 		ID:           clientID,
-		Secret:       string(hash),
+		Secret:       clientSecret,
 		RedirectURIs: []string{oauth2Client.URL + "/callback"},
 	}
 	if err := s.storage.CreateClient(client); err != nil {