-
-
Notifications
You must be signed in to change notification settings - Fork 4.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Store encrypted OAuth2 client secrets #38398
Conversation
Quick search in nextcloud org only reveals: https://github.com/nextcloud/integration_openproject |
Yeah that's the one I found by searching for |
For the software architecture I would suggest to leave the db layer like before and do the encryption/description in the service layer (controller in the oauth app case). That avoids adding logic and a non-testable service locator to the entity class. |
OCA is a private app namespace. We can change it at any time. Other apps are not supposed to access other apps this way but go through OCP |
71bfa9b
to
7b6dd11
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
performance nitpicks
fb37e9c
to
cba874f
Compare
293dcf9
to
a5456d1
Compare
d2f21b5
to
8b842fa
Compare
Signed-off-by: Julien Veyssier <julien-nc@posteo.net>
8b842fa
to
18c742a
Compare
Rebased and fixed the failing SettingsControllerTest. |
/backport to stable27 |
/backport to stable26 |
/backport to stable25 |
The backport to stable27 failed. Please do this backport manually. # Switch to the target branch and update it
git checkout stable27
git pull origin/stable27
# Create the new backport branch
git checkout -b fix/foo-stable27
# Cherry pick the change from the commit sha1 of the change against the default branch
# This might cause conflicts. Resolve them.
git cherry-pick abc123
# Push the cherry pick commit to the remote repository and open a pull request
git push origin fix/foo-stable27 More info at https://docs.nextcloud.com/server/latest/developer_manual/getting_started/development_process.html#manual-backport |
The backport to stable26 failed. Please do this backport manually. # Switch to the target branch and update it
git checkout stable26
git pull origin/stable26
# Create the new backport branch
git checkout -b fix/foo-stable26
# Cherry pick the change from the commit sha1 of the change against the default branch
# This might cause conflicts. Resolve them.
git cherry-pick abc123
# Push the cherry pick commit to the remote repository and open a pull request
git push origin fix/foo-stable26 More info at https://docs.nextcloud.com/server/latest/developer_manual/getting_started/development_process.html#manual-backport |
The backport to stable25 failed. Please do this backport manually. # Switch to the target branch and update it
git checkout stable25
git pull origin/stable25
# Create the new backport branch
git checkout -b fix/foo-stable25
# Cherry pick the change from the commit sha1 of the change against the default branch
# This might cause conflicts. Resolve them.
git cherry-pick abc123
# Push the cherry pick commit to the remote repository and open a pull request
git push origin fix/foo-stable25 More info at https://docs.nextcloud.com/server/latest/developer_manual/getting_started/development_process.html#manual-backport |
@julien-nc |
@szaimen Thanks, I'm on it. |
Apparently it is not 🥲
With mysql on my dev env. The secret string is 324 bytes long. |
$table = $schema->getTable('oauth2_clients'); | ||
if ($table->hasColumn('secret')) { | ||
$column = $table->getColumn('secret'); | ||
$column->setLength(256); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
let's widen to 512?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
👍 Thanks a lot.
I'll create another PR for master and adjust the backport PRs.
No idea about the max potential length of a 64 B string encrypted with OC\Security\Crypto
. Let's discuss that in #38770
This PR includes:
secret
column inoc_oauth2_clients
OCA\OAuth2\Db\Client::getRawSecret
andOCA\OAuth2\Db\Client::setRawSecret
) in the Client DB entity which are used in theoauth2
app instead ofOCA\OAuth2\Db\Client::getSecret
andOCA\OAuth2\Db\Client::setSecret
Maybe there's a more straightforward way to implement this.
I gave up on trying to redefine
OCA\OAuth2\Db\Client::getSecret
andOCA\OAuth2\Db\Client::setSecret
becausesetSecret
is used to build the Client entity so the value we get from the DB is encrypted again bysetSecret
and then stored in the entity attribute 😁.Remaining doubts/questions:
OCA\OAuth2\Db\Client::getSecret
andOCA\OAuth2\Db\Client::setSecret
methods?