barbercollie/tinyauth
1
0
Fork 1
mirror of https://github.com/steveiliop56/tinyauth.git synced 2025-12-31 04:22:28 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
ca74534048935c73d50e612b17bd72c58674cd6b
tinyauth/internal/service/oidc_service.go
Olivier Dumont ca74534048 Add bcrypt hashing for client secrets and RSA key encryption 
Security improvements:

1. Client secret hashing:
   - Replace plaintext comparison with bcrypt.CompareHashAndPassword
   - Provides constant-time comparison to prevent timing attacks
   - Hash secrets with bcrypt before storing in database
   - Update SyncClientsFromConfig to hash incoming plaintext secrets

2. Deterministic RSA key loading:
   - Load most recently created key using ORDER BY created_at DESC
   - Add warning if multiple keys detected in database
   - Ensures consistent key selection on startup

3. Optional RSA key encryption:
   - Encrypt private keys with AES-256-GCM when OIDC_RSA_MASTER_KEY is set
   - Master key derived via SHA256 from environment variable
   - Backward compatible: stores plaintext if no master key set
   - Automatic detection of encrypted vs plaintext on load

All changes maintain backward compatibility with existing deployments.
2025-12-30 13:26:06 +01:00

23 KiB
Raw Blame History

View Raw
Reference in New Issue View Git Blame Copy Permalink