Hash/Encrypt OAuth tokens
Currently, GitLab Doorkeeper OAuth Application secrets and tokens are stored in plaintext in the database. This is in the oauth_applications
table in the secret
column and in the oauth_access_tokens
table in the token
and refresh_token
column.
Doorkeeper has support for hashing/encrypting these values. See https://github.com/doorkeeper-gem/doorkeeper/blob/master/lib/generators/doorkeeper/templates/migration.rb.erb#L60-72 for more information. They support SHA256 and BCrypt out of the box, but it is also possible to create your own. You can see how 'simple' the SHA256 implementation is - https://github.com/doorkeeper-gem/doorkeeper/blob/main/lib/doorkeeper/secret_storing/sha256_hash.rb
Given our efforts to change from BCrypt to SHA512 or PBKDF2 for password hashing I think we should do the same with our own implementation here.
Doorkeeper also supports falling back to plaintext secrets and tokens to support proactive migration.
NOTE: This is not compatible with reuse_access_token
configuration, which we use, and which we propose to change as part of #363525 (closed)