Merge pull request #12878 from overleaf/em-hash-oauth-secrets-2

Script for hashing OAuth secrets GitOrigin-RevId: 7e2198ff9b41a24b1ca84768c24f3f653243c030
2024-11-21 20:47:08 -05:00 · 2023-05-02 11:53:02 -04:00 · 2023-05-02 11:53:02 -04:00 · 05f963d17d
commit 05f963d17d
parent 66d29940c3
1 changed files with 48 additions and 0 deletions
--- a/services/web/scripts/oauth/backfill_hashed_secrets.js
+++ b/services/web/scripts/oauth/backfill_hashed_secrets.js
@ -0,0 +1,48 @@
+const {
+  db,
+  waitForDb,
+  READ_PREFERENCE_SECONDARY,
+} = require('../../app/src/infrastructure/mongodb')
+const {
+  hashSecret,
+} = require('../../modules/oauth2-server/app/src/SecretsHelper')
+
+async function main() {
+  await waitForDb()
+  console.log('Hashing client secrets...')
+  await hashSecrets(db.oauthApplications, 'clientSecret')
+  console.log('Hashing access tokens...')
+  await hashSecrets(db.oauthAccessTokens, 'accessToken')
+  console.log('Hashing refresh tokens...')
+  await hashSecrets(db.oauthAccessTokens, 'refreshToken')
+  console.log('Hashing authorization codes...')
+  await hashSecrets(db.oauthAuthorizationCodes, 'authorizationCode')
+}
+
+async function hashSecrets(collection, field) {
+  const cursor = collection.find(
+    {
+      [field]: /^(?!v1\.)/,
+    },
+    {
+      projection: { _id: 1, [field]: 1 },
+      readPreference: READ_PREFERENCE_SECONDARY,
+    }
+  )
+  let hashedCount = 0
+  for await (const doc of cursor) {
+    const hash = hashSecret(doc[field])
+    await collection.updateOne({ _id: doc._id }, { $set: { [field]: hash } })
+    hashedCount++
+  }
+  console.log(`${hashedCount} secrets hashed`)
+}
+
+main()
+  .then(() => {
+    process.exit(0)
+  })
+  .catch(err => {
+    console.error(err)
+    process.exit(1)
+  })