fix a bug in hash comparison function

the client secret coming in should be hashed and the one in storage is the one in plaintext Signed-off-by: Rui Yang <[email protected]>
sarvex · May 14, 2021 · ecea593 · ecea593
1 parent d658c24
commit ecea593
Show file tree

Hide file tree

Showing 2 changed files with 3 additions and 3 deletions.
diff --git a/server/handlers.go b/server/handlers.go
@@ -683,7 +683,7 @@ func (s *Server) handleToken(w http.ResponseWriter, r *http.Request) {
 	}
 
 	if s.hashClientSecret {
-		if err := bcrypt.CompareHashAndPassword([]byte(client.Secret), []byte(clientSecret)); err != nil {
+		if err := bcrypt.CompareHashAndPassword([]byte(clientSecret), []byte(client.Secret)); err != nil {
 			s.tokenErrHelper(w, errInvalidClient, "Invalid client credentials.", http.StatusUnauthorized)
 			return
 		}

diff --git a/server/server_test.go b/server/server_test.go
@@ -1681,7 +1681,7 @@ func TestClientSecretEncryption(t *testing.T) {
 	// Create the OAuth2 config.
 	oauth2Config = &oauth2.Config{
 		ClientID:     clientID,
-		ClientSecret: clientSecret,
+		ClientSecret: string(hash),
 		Endpoint:     p.Endpoint(),
 		Scopes:       requestedScopes,
 	}
@@ -1728,7 +1728,7 @@ func TestClientSecretEncryption(t *testing.T) {
 	// Regester the client above with dex.
 	client := storage.Client{
 		ID:           clientID,
-		Secret:       string(hash),
+		Secret:       clientSecret,
 		RedirectURIs: []string{oauth2Client.URL + "/callback"},
 	}
 	if err := s.storage.CreateClient(client); err != nil {