Skip to content

chore!: ensure consistent secret token generation and hashing#20388

Merged
Emyrk merged 23 commits into
mainfrom
stevenmasley/refresh_hashing
Oct 23, 2025
Merged

chore!: ensure consistent secret token generation and hashing#20388
Emyrk merged 23 commits into
mainfrom
stevenmasley/refresh_hashing

Conversation

@Emyrk
Copy link
Copy Markdown
Member

@Emyrk Emyrk commented Oct 20, 2025
edited
Loading

I noticed our oauth2 tokens used userpassword.Hash which salts the hash. Since our tokens are 40 random characters, salting is redundant and provides no increased security.

This PR uses the same sha256 hashing technique as we use for APIKeys. So now all randomly generated secrets will be hashed with sha256 for consistency.

This is a breaking change for the oauth tokens. Since oauth is only allowed for dev builds and experimental, this is ok.

@Emyrk Emyrk changed the title chore: oauth2 refresh tokens to use sha256 hashed secrets chore: oauth2 tokens to use sha256 hashed secrets Oct 20, 2025
@Emyrk Emyrk marked this pull request as ready for review October 21, 2025 15:37
@Emyrk Emyrk requested review from ThomasK33 and code-asher October 21, 2025 15:37
Emyrk added 5 commits October 21, 2025 10:38
@Emyrk
chore: oauth2 refresh tokens to use sha256 hashed secrets
d1cf114 
Salts are not required for random secrets. Salts are only useful to
protect against rainbow table style attacks. Since the input it 40
random characters, salts are overkill.
@Emyrk
chore: refactor RegistrationAccessToken from string to []byte
55ef6ed
@Emyrk
make gen
41e1c4a
@Emyrk
reuse apikey generate for more places
feb3df7
@Emyrk
bump migration
2cfc267
@Emyrk Emyrk force-pushed the stevenmasley/refresh_hashing branch from c3eb94d to 2cfc267 Compare October 21, 2025 15:46
@Emyrk Emyrk marked this pull request as draft October 21, 2025 16:30
@Emyrk Emyrk changed the title chore: oauth2 tokens to use sha256 hashed secrets chore: consistent secret token generation and hashing Oct 21, 2025
@Emyrk Emyrk changed the title chore: consistent secret token generation and hashing chore: ensure consistent secret token generation and hashing Oct 21, 2025
@Emyrk Emyrk marked this pull request as ready for review October 21, 2025 20:58
@Emyrk Emyrk requested review from ThomasK33 and code-asher October 21, 2025 20:58
code-asher
code-asher approved these changes Oct 21, 2025
View reviewed changes
Copy link
Copy Markdown
Member

@code-asher code-asher left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice!

This is a breaking change for the oauth tokens. Since oauth is only allowed for dev builds and experimental, this is ok.

To add to this, I think we use it for MCP and there might be some people using it with Backstage (@Parkreiner just a heads up).

@buenos-nachos
Copy link
Copy Markdown
Contributor

buenos-nachos commented Oct 22, 2025
edited
Loading

Yeah, we just rolled out oauth for Backstage, since we have a pretty high-profile lead who really wanted it

I want to say changing the tokens should be okay, but could I get an explanation for the ways that it becomes a breaking change? That'd be really helpful for me, and I don't know if it goes beyond requiring the user to reauthorize

ThomasK33
ThomasK33 approved these changes Oct 22, 2025
View reviewed changes
Copy link
Copy Markdown
Member

@ThomasK33 ThomasK33 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, some style nits nothing to get blocked on.

Comment thread coderd/database/migrations/000387_oauth_app_byte_reg_access_token.up.sql Outdated
Comment thread coderd/database/migrations/000387_oauth_app_byte_reg_access_token.up.sql Outdated
Comment thread coderd/oauth2provider/registration.go Outdated
@ThomasK33
Copy link
Copy Markdown
Member

ThomasK33 commented Oct 22, 2025

there might be some people using it with Backstage

It's unlikely. The OAuth components were implemented before I added the experiment and were gated exclusively by the 'dev' version check. So, anyone using Backstage with the OAuth provider must have been running a custom development build.

but could I get an explanation for the ways that it becomes a breaking change

As far as I know, it's a breaking change because the codersdk now exposes a different data type for those fields. As a result, any code that explicitly types or relies on it being a nullable string in SQL will no longer work. However, I could be wrong.

@Emyrk
Copy link
Copy Markdown
Member Author

Emyrk commented Oct 22, 2025
edited
Loading

Yeah, we just rolled out oauth for Backstage, since we have a pretty high-profile lead who really wanted it

I want to say changing the tokens should be okay, but could I get an explanation for the ways that it becomes a breaking change? That'd be really helpful for me, and I don't know if it goes beyond requiring the user to reauthorize

TIL a customer is using it 🤦

I will comment later today specifically what breaks. Iirc all apps need to be remade and all oauth refresh tokens become invalid.

As far as I know, it's a breaking change because the codersdk now exposes a different data type for those fields. As a result, any code that explicitly types or relies on it being a nullable string in SQL will no longer work. However, I could be wrong.

Yes there are some type changes there too. @Parkreiner I'll dm you on slack

@Emyrk
Copy link
Copy Markdown
Member Author

Emyrk commented Oct 23, 2025

@Parkreiner

  • dynamic client registration apps will be invalid.
  • Refresh tokens will be invalid
  • oauth app secrets will be invalid
  • Authorization codes will be invalid (these are short lived anyway)

So basically all of oauth will be broken and have to be redone 😢

@Emyrk Emyrk changed the title chore: ensure consistent secret token generation and hashing chore!: ensure consistent secret token generation and hashing Oct 23, 2025
@Emyrk Emyrk added the release/breaking This label is applied to PRs to detect breaking changes as part of the release process label Oct 23, 2025
@Emyrk Emyrk merged commit 13ca9ea into main Oct 23, 2025
27 checks passed
@Emyrk Emyrk deleted the stevenmasley/refresh_hashing branch October 23, 2025 20:38
@github-actions github-actions Bot locked and limited conversation to collaborators Oct 23, 2025
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

@ThomasK33 ThomasK33 ThomasK33 approved these changes

@code-asher code-asher code-asher approved these changes

Assignees

@Emyrk Emyrk

Labels

release/breaking This label is applied to PRs to detect breaking changes as part of the release process

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@Emyrk @buenos-nachos @ThomasK33 @code-asher