knadh / listmonk

High performance, self-hosted, newsletter and mailing list manager with a modern dashboard. Single binary app.
https://listmonk.app
GNU Affero General Public License v3.0
15.08k stars 1.38k forks source link

OIDC client_secret overwritten with placeholders on settings save #2126

Closed ErikMichelson closed 5 hours ago

ErikMichelson commented 6 hours ago

Version:

Description of the bug and steps to reproduce:

I have configured OIDC. It worked as expected. Some days later I changed another setting, which resulted in me not being able to log in via OIDC anymore with an error stating that the client_secret would be wrong.

Some investigation in the database showed me that the OIDC client_secret seems to be overwritten with placeholder characters on further settings changes.

To reproduce:

  1. Configure OIDC with a client_secret
  2. Verify that the database contains the right secret: SELECT value->>'client_secret' AS value FROM settings WHERE key = 'security.oidc';
  3. Change another setting and save the settings again
  4. Run the SQL query to extract the client_secret again: See that it changed to placeholder characters
ErikMichelson commented 5 hours ago

Oh, I just looked through the recent development and found this promising commit: https://github.com/knadh/listmonk/commit/5abf004655ad457e0fe319ce18487c73957b36b3

I guess this problem should be resolved with it, and I am waiting happily for the next release. :)