Skip to content

Hash application client secrets using Django password hashing#1093

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
n2ygk merged 3 commits into from
Jan 25, 2022
Merged

Hash application client secrets using Django password hashing #1093

n2ygk merged 3 commits into from
Jan 25, 2022

Conversation

@n2ygk
Copy link
Contributor

@n2ygkn2ygk commented Jan 20, 2022

Fixes#729

Description of the Change

Pick up where #1020 left off and simplify to always hash the client_secret using the Django default hasher.
The migration is not reversible as it hashes cleartext application client secrets.

Checklist

  • PR only contains one change (considered splitting up PR)
  • unit-test added
  • documentation updated
  • CHANGELOG.md updated (only for user relevant changes)
  • author name in AUTHORS

@n2ygk
Copy link
ContributorAuthor

n2ygk commented Jan 20, 2022

@pkarman - Thanks for the idea regarding client secret hashing. I've simplified by turning this into a breaking change (migration not reversible) that will always hash the client secret.

@n2ygkn2ygk added this to the 2.0.0 milestone Jan 20, 2022
@n2ygkn2ygk requested a review from a teamJanuary 20, 2022 22:55
@codecov
Copy link

codecovbot commented Jan 21, 2022
edited
Loading

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 96.61%. Comparing base (a6bd0d0) to head (05de2af).
Report is 195 commits behind head on master.

Additional details and impacted files
@@ Coverage Diff @@## master #1093 +/- ## ========================================== + Coverage 96.58% 96.61% +0.02%  ========================================== Files 32 32 Lines 1787 1801 +14 ========================================== + Hits 1726 1740 +14  Misses 61 61

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

Andrew-Chen-Wang
Andrew-Chen-Wang suggested changes Jan 23, 2022
View reviewed changes
Copy link
Contributor

@Andrew-Chen-WangAndrew-Chen-Wang left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

In general, it LGTM!

pkarmanand others added 2 commits January 24, 2022 11:03
@n2ygkn2ygkforce-pushed the issue_729/hash_secrets branch from 1cf4259 to b5f6674CompareJanuary 24, 2022 16:06
@n2ygkn2ygk marked this pull request as ready for review January 24, 2022 16:57
@n2ygkn2ygk merged commit 691870c into django-oauth:masterJan 25, 2022
@n2ygkn2ygk deleted the issue_729/hash_secrets branch January 25, 2022 15:00
flow3d pushed a commit to singular-labs/django-oauth-toolkit that referenced this pull request Mar 22, 2022
@n2ygk@Andrew-Chen-Wang@pkarman
Hash application client secrets using Django password hashing (django…
5ef4225
…-oauth#1093) * Add ClientSecretField field to use Django password hashing algorithms (django-oauth#1020) Co-authored-by: Andrew Chen Wang <[email protected]> Co-authored-by: Peter Karman <[email protected]> Co-authored-by: Andrew Chen Wang <[email protected]>
@SCH227SCH227 mentioned this pull request Apr 2, 2022
Closed
@josephabrahamsjosephabrahams mentioned this pull request Apr 27, 2022
Closed
2 tasks
@martin-thoma
Copy link
Contributor

martin-thoma commented Jul 5, 2022

If feels wrong to see "WIP" in the title of a merged PR / to see WIP in a breaking change in the changelog.

@n2ygkn2ygk changed the title WIP: Hash application client secrets using Django password hashingHash application client secrets using Django password hashingJul 5, 2022
@n2ygkn2ygk mentioned this pull request Jul 7, 2023
Closed
2 tasks
@lrq315lrq315 mentioned this pull request Dec 13, 2025
Open
2 tasks
Sign up for freeto join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@Andrew-Chen-WangAndrew-Chen-WangAndrew-Chen-Wang approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

2.0.0

Development

Successfully merging this pull request may close these issues.

Why are secrets in plain text?

4 participants

@n2ygk@martin-thoma@Andrew-Chen-Wang@pkarman