Support for specifying client secret hasher (#1498)

Co-authored-by: Matej Spiller Muys <[email protected]>
jazzband · Sep 22, 2024 · 937ae21 · 937ae21
1 parent e34819a
commit 937ae21
Show file tree

Hide file tree

Showing 8 changed files with 36 additions and 1 deletion.
diff --git a/AUTHORS b/AUTHORS
@@ -86,6 +86,7 @@ Ludwig Hähne
 Łukasz Skarżyński
 Madison Swain-Bowden
 Marcus Sonestedt
+Matej Spiller Muys
 Matias Seniquiel
 Michael Howitz
 Owen Gong

diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -7,6 +7,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 <!--
 ## [unreleased]
 ### Added
+* Support for specifying client secret hasher via CLIENT_SECRET_HASHER setting.
 ### Changed
 ### Deprecated
 ### Removed

diff --git a/docs/settings.rst b/docs/settings.rst
@@ -104,6 +104,10 @@ CLIENT_SECRET_GENERATOR_LENGTH
 The length of the generated secrets, in characters. If this value is too low,
 secrets may become subject to bruteforce guessing.
 
+CLIENT_SECRET_HASHER
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+The hasher for storing generated secrets. By default library will use the first hasher in PASSWORD_HASHERS.
+
 EXTRA_SERVER_KWARGS
 ~~~~~~~~~~~~~~~~~~~
 A dictionary to be passed to oauthlib's Server class. Three options

diff --git a/oauth2_provider/models.py b/oauth2_provider/models.py
@@ -40,7 +40,7 @@ def pre_save(self, model_instance, add):
             logger.debug(f"{model_instance}: {self.attname} is already hashed with {hasher}.")
         except ValueError:
             logger.debug(f"{model_instance}: {self.attname} is not hashed; hashing it now.")
-            hashed_secret = make_password(secret)
+            hashed_secret = make_password(secret, hasher=oauth2_settings.CLIENT_SECRET_HASHER)
             setattr(model_instance, self.attname, hashed_secret)
             return hashed_secret
         return super().pre_save(model_instance, add)

diff --git a/oauth2_provider/settings.py b/oauth2_provider/settings.py
@@ -37,6 +37,7 @@
     "CLIENT_ID_GENERATOR_CLASS": "oauth2_provider.generators.ClientIdGenerator",
     "CLIENT_SECRET_GENERATOR_CLASS": "oauth2_provider.generators.ClientSecretGenerator",
     "CLIENT_SECRET_GENERATOR_LENGTH": 128,
+    "CLIENT_SECRET_HASHER": "default",
     "ACCESS_TOKEN_GENERATOR": None,
     "REFRESH_TOKEN_GENERATOR": None,
     "EXTRA_SERVER_KWARGS": {},

diff --git a/tests/custom_hasher.py b/tests/custom_hasher.py
@@ -0,0 +1,10 @@
+from django.contrib.auth.hashers import PBKDF2PasswordHasher
+
+
+class MyPBKDF2PasswordHasher(PBKDF2PasswordHasher):
+    """
+    A subclass of PBKDF2PasswordHasher that uses less iterations.
+    """
+
+    algorithm = "fast_pbkdf2"
+    iterations = 10000
diff --git a/tests/settings.py b/tests/settings.py
@@ -89,6 +89,8 @@
     "tests",
 )
 
+PASSWORD_HASHERS = django.conf.settings.PASSWORD_HASHERS + ["tests.custom_hasher.MyPBKDF2PasswordHasher"]
+
 LOGGING = {
     "version": 1,
     "disable_existing_loggers": False,

diff --git a/tests/test_models.py b/tests/test_models.py
@@ -72,6 +72,22 @@ def test_hashed_secret(self):
         self.assertNotEqual(app.client_secret, CLEARTEXT_SECRET)
         self.assertTrue(check_password(CLEARTEXT_SECRET, app.client_secret))
 
+    @override_settings(OAUTH2_PROVIDER={"CLIENT_SECRET_HASHER": "fast_pbkdf2"})
+    def test_hashed_from_settings(self):
+        app = Application.objects.create(
+            name="test_app",
+            redirect_uris="http://localhost http://example.com http://example.org",
+            user=self.user,
+            client_type=Application.CLIENT_CONFIDENTIAL,
+            authorization_grant_type=Application.GRANT_AUTHORIZATION_CODE,
+            client_secret=CLEARTEXT_SECRET,
+            hash_client_secret=True,
+        )
+
+        self.assertNotEqual(app.client_secret, CLEARTEXT_SECRET)
+        self.assertIn("fast_pbkdf2", app.client_secret)
+        self.assertTrue(check_password(CLEARTEXT_SECRET, app.client_secret))
+
     def test_unhashed_secret(self):
         app = Application.objects.create(
             name="test_app",