From 0b0da1783bc701e74a1972869bdb221a3c9a6b2a Mon Sep 17 00:00:00 2001 From: Frederick Muriuki Muriithi Date: Tue, 30 May 2023 11:27:17 +0300 Subject: auth: Change check for client secret We are saving the client secret in an encrypted form, meaning we have to verify that the CLIENT_SECRET that is provided is the same one as was generated at registration in a different way. Initially, I was doing a direct comparison, having saved the CLIENT_SECRET value as unencrypted plain-text. --- gn3/auth/authentication/oauth2/models/oauth2client.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'gn3/auth/authentication/oauth2/models') diff --git a/gn3/auth/authentication/oauth2/models/oauth2client.py b/gn3/auth/authentication/oauth2/models/oauth2client.py index da20200..14c4c94 100644 --- a/gn3/auth/authentication/oauth2/models/oauth2client.py +++ b/gn3/auth/authentication/oauth2/models/oauth2client.py @@ -27,7 +27,7 @@ class OAuth2Client(NamedTuple): def check_client_secret(self, client_secret: str) -> bool: """Check whether the `client_secret` matches this client.""" - return self.client_secret == client_secret + return same_password(client_secret, self.client_secret) @property def token_endpoint_auth_method(self) -> str: -- cgit v1.2.3