1 files changed, 30 insertions, 0 deletions

diff --git a/lib/gitlab/doorkeeper_secret_storing/token/pbkdf2_sha512.rb b/lib/gitlab/doorkeeper_secret_storing/token/pbkdf2_sha512.rb
new file mode 100644
index 00000000000..f9e6d4076f3
--- /dev/null
+++ b/lib/gitlab/doorkeeper_secret_storing/token/pbkdf2_sha512.rb
@@ -0,0 +1,30 @@
+# frozen_string_literal: true
+
+module Gitlab
+  module DoorkeeperSecretStoring
+    module Token
+      class Pbkdf2Sha512 < ::Doorkeeper::SecretStoring::Base
+        STRETCHES = 20_000
+        # An empty salt is used because we need to look tokens up solely by
+        # their hashed value. Additionally, tokens are always cryptographically
+        # pseudo-random and unique, therefore salting provides no
+        # additional security.
+        SALT = ''
+
+        def self.transform_secret(plain_secret)
+          return plain_secret unless Feature.enabled?(:hash_oauth_tokens)
+
+          Devise::Pbkdf2Encryptable::Encryptors::Pbkdf2Sha512.digest(plain_secret, STRETCHES, SALT)
+        end
+
+        ##
+        # Determines whether this strategy supports restoring
+        # secrets from the database. This allows detecting users
+        # trying to use a non-restorable strategy with +reuse_access_tokens+.
+        def self.allows_restoring_secrets?
+          false
+        end
+      end
+    end
+  end
+end