Class: Gitlab::DoorkeeperSecretStoring::Secret::Pbkdf2Sha512
- Inherits:
-
Doorkeeper::SecretStoring::Base
- Object
- Doorkeeper::SecretStoring::Base
- Gitlab::DoorkeeperSecretStoring::Secret::Pbkdf2Sha512
- Defined in:
- lib/gitlab/doorkeeper_secret_storing/secret/pbkdf2_sha512.rb
Constant Summary collapse
- STRETCHES =
20_000
- SALT =
An empty salt is used because we need to look tokens up solely by their hashed value. Additionally, tokens are always cryptographically pseudo-random and unique, therefore salting provides no additional security.
''
Class Method Summary collapse
-
.allows_restoring_secrets? ⇒ Boolean
Determines whether this strategy supports restoring secrets from the database.
-
.secret_matches?(input, stored) ⇒ Boolean
Securely compare the given
input
value with astored
value processed bytransform_secret
. - .transform_secret(plain_secret) ⇒ Object
Class Method Details
.allows_restoring_secrets? ⇒ Boolean
Determines whether this strategy supports restoring secrets from the database. This allows detecting users trying to use a non-restorable strategy with reuse_access_tokens
.
21 22 23 |
# File 'lib/gitlab/doorkeeper_secret_storing/secret/pbkdf2_sha512.rb', line 21 def self.allows_restoring_secrets? false end |
.secret_matches?(input, stored) ⇒ Boolean
Securely compare the given input
value with a stored
value processed by transform_secret
.
28 29 30 31 |
# File 'lib/gitlab/doorkeeper_secret_storing/secret/pbkdf2_sha512.rb', line 28 def self.secret_matches?(input, stored) transformed_input = transform_secret(input) ActiveSupport::SecurityUtils.secure_compare transformed_input, stored end |