BrennanPaciorek
commented
2 weeks ago The problem with salting just clicked for me. I think we can use a application-wide salt for OAuth2 tokens if we want to get salts working, or we can use the application SECRET_KEY, or something derived from it (this would probably require some documentation, since we don't want users cycling the key, then getting irritated when their oauth2 sessions get invalidated).
Maybe we can add a table to the database for the purpose of storing a single salt, then set database constraints to make sure one is always present?
Definitely understand why implementing salts may be more trouble than its worth, so I am perfectly fine without the implementation of salts.
relrod
sonarcloud[bot]
~Missing pieces that still need to be done:~
django-admin create_oauth2_tokenis broken now (it gives the hash instead of the plaintext token)~EDIT: The above has been done.
Previously, OAuth2 Access tokens including PATs were not hashed or encrypted in any way, and were stored in plaintext in the database. Seeing them required direct database access, but it is still better to hash them, since they are long-lived.
This commit implements hashing (using sha256) of access tokens. Hashing is unsalted, as we need to be able to key on a stable input - but also because the tokens are already random strings and a salt adds nothing more of security.
The input bearer token (used to auth a user) is hashed in LoggedOAuth2Authentication and stuffed back into the request. This might seem like a weird place to inject the hash, but it avoids having to override any DOT internals.
The serializer has been updated to account for the new functionality and still works the same way as in the past: On POST (new token creation), the token will be displayed -- after that it will not.
Test fixtures and tests have been updated as well.