lib/gitlab/doorkeeper_secret_storing/pbkdf2_sha512.rb


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28

# frozen_string_literal: true

module Gitlab
  module DoorkeeperSecretStoring
    class Pbkdf2Sha512 < ::Doorkeeper::SecretStoring::Base
      STRETCHES = 20_000
      # An empty salt is used because we need to look tokens up solely by
      # their hashed value. Additionally, tokens are always cryptographically
      # pseudo-random and unique, therefore salting provides no
      # additional security.
      SALT = ''

      def self.transform_secret(plain_secret)
        return plain_secret unless Feature.enabled?(:hash_oauth_tokens)

        Devise::Pbkdf2Encryptable::Encryptors::Pbkdf2Sha512.digest(plain_secret, STRETCHES, SALT)
      end

      ##
      # Determines whether this strategy supports restoring
      # secrets from the database. This allows detecting users
      # trying to use a non-restorable strategy with +reuse_access_tokens+.
      def self.allows_restoring_secrets?
        false
      end
    end
  end
end