starred/pocket-id-pocket-id-1
1
0
Fork 0
mirror of https://github.com/pocket-id/pocket-id.git synced 2025-12-09 14:53:00 +03:00
Code Issues 122 Packages Projects Releases 10 Wiki Activity

[PR #379] [MERGED] fix: hash the refresh token in the DB (security) #847

New Issue
Closed
opened 2025-10-08 00:18:19 +03:00 by OVERLORD · 0 comments
OVERLORD commented 2025-10-08 00:18:19 +03:00
Owner
Copy Link

📋 Pull Request Information

Original PR: https://github.com/pocket-id/pocket-id/pull/379
Author: @ItalyPaleAle
Created: 3/23/2025
Status: Merged
Merged: 3/25/2025
Merged by: @stonith404

Base: mainHead: refresh-token-hash

📝 Commits (3)

  • 83c3785 fix: hash the refresh token in the DB
  • 3756c98 Fix test
  • 0c3df58 Use hex everywhere for consistency

📊 Changes

2 files changed (+107 additions, -91 deletions)

View changed files

📝 backend/internal/service/oidc_service.go (+106 -90)
📝 backend/internal/service/test_service.go (+1 -1)

📄 Description

Fixup from #325

Makes sure that refresh tokens are stored as hashes in the database for security, as they are comparable to passwords.

Since refresh tokens are random strings of 40 characters (alphanumeric), they have enough entropy and a short-enough lifespan that a simple SHA-256 hash should suffice.

🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.

## 📋 Pull Request Information **Original PR:** https://github.com/pocket-id/pocket-id/pull/379 **Author:** [@ItalyPaleAle](https://github.com/ItalyPaleAle) **Created:** 3/23/2025 **Status:** ✅ Merged **Merged:** 3/25/2025 **Merged by:** [@stonith404](https://github.com/stonith404) **Base:** `main` ← **Head:** `refresh-token-hash` --- ### 📝 Commits (3) - [`83c3785`](https://github.com/pocket-id/pocket-id/commit/83c37859e985d4ee713b56bf373abb70a913ba63) fix: hash the refresh token in the DB - [`3756c98`](https://github.com/pocket-id/pocket-id/commit/3756c98539d988f5d1e457a30272fba040b065c4) Fix test - [`0c3df58`](https://github.com/pocket-id/pocket-id/commit/0c3df58760b01d3f61ec52835e9d1013a6698c03) Use hex everywhere for consistency ### 📊 Changes **2 files changed** (+107 additions, -91 deletions) <details> <summary>View changed files</summary> 📝 `backend/internal/service/oidc_service.go` (+106 -90) 📝 `backend/internal/service/test_service.go` (+1 -1) </details> ### 📄 Description Fixup from #325 Makes sure that refresh tokens are stored as hashes in the database for security, as they are comparable to passwords. Since refresh tokens are random strings of 40 characters (alphanumeric), they have enough entropy and a short-enough lifespan that a simple SHA-256 hash should suffice. --- <sub>🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.</sub>
OVERLORD added the pull-request label 2025-10-08 00:18:19 +03:00
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
breaking
bug
documentation
feature
needs more upvotes
open to pull requests
pull-request
Mirrored from GitHub Pull Request
No Label pull-request
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
OVERLORD
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: starred/pocket-id-pocket-id-1#847
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?