lib/gitlab/doorkeeper_secret_storing/token/pbkdf2_sha512.rb


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30

# frozen_string_literal: true

module Gitlab
  module DoorkeeperSecretStoring
    module Token
      class Pbkdf2Sha512 < ::Doorkeeper::SecretStoring::Base
        STRETCHES = 20_000
        # An empty salt is used because we need to look tokens up solely by
        # their hashed value. Additionally, tokens are always cryptographically
        # pseudo-random and unique, therefore salting provides no
        # additional security.
        SALT = ''

        def self.transform_secret(plain_secret)
          return plain_secret unless Feature.enabled?(:hash_oauth_tokens)

          Devise::Pbkdf2Encryptable::Encryptors::Pbkdf2Sha512.digest(plain_secret, STRETCHES, SALT)
        end

        ##
        # Determines whether this strategy supports restoring
        # secrets from the database. This allows detecting users
        # trying to use a non-restorable strategy with +reuse_access_tokens+.
        def self.allows_restoring_secrets?
          false
        end
      end
    end
  end
end