From 3b4d0d9769aa36f9d3fbb5514cc60ff479b41c5b Mon Sep 17 00:00:00 2001
From: Lakhan Samani <lakhan.m.samani@gmail.com>
Date: Mon, 17 Jan 2022 13:20:32 +0530
Subject: [PATCH] fix(server): add old secret check for admin secret update

---
 server/graph/generated/generated.go |  8 ++++----
 server/graph/model/models_gen.go    |  2 +-
 server/graph/schema.graphqls        |  2 +-
 server/graph/schema.resolvers.go    |  6 ++----
 server/resolvers/update_env.go      | 11 +++++++++++
 5 files changed, 19 insertions(+), 10 deletions(-)

diff --git a/server/graph/generated/generated.go b/server/graph/generated/generated.go
index 981f382..9aa694a 100644
--- a/server/graph/generated/generated.go
+++ b/server/graph/generated/generated.go
@@ -1093,7 +1093,7 @@ type Env {
 
 input UpdateEnvInput {
 	ADMIN_SECRET: String
-	CONFIRM_ADMIN_SECRET: String
+	OLD_ADMIN_SECRET: String
 	DATABASE_TYPE: String
 	DATABASE_URL: String
 	DATABASE_NAME: String
@@ -6258,11 +6258,11 @@ func (ec *executionContext) unmarshalInputUpdateEnvInput(ctx context.Context, ob
 			if err != nil {
 				return it, err
 			}
-		case "CONFIRM_ADMIN_SECRET":
+		case "OLD_ADMIN_SECRET":
 			var err error
 
-			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("CONFIRM_ADMIN_SECRET"))
-			it.ConfirmAdminSecret, err = ec.unmarshalOString2ᚖstring(ctx, v)
+			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("OLD_ADMIN_SECRET"))
+			it.OldAdminSecret, err = ec.unmarshalOString2ᚖstring(ctx, v)
 			if err != nil {
 				return it, err
 			}
diff --git a/server/graph/model/models_gen.go b/server/graph/model/models_gen.go
index 2c86ba1..63cad41 100644
--- a/server/graph/model/models_gen.go
+++ b/server/graph/model/models_gen.go
@@ -119,7 +119,7 @@ type SignUpInput struct {
 
 type UpdateEnvInput struct {
 	AdminSecret                *string  `json:"ADMIN_SECRET"`
-	ConfirmAdminSecret         *string  `json:"CONFIRM_ADMIN_SECRET"`
+	OldAdminSecret             *string  `json:"OLD_ADMIN_SECRET"`
 	DatabaseType               *string  `json:"DATABASE_TYPE"`
 	DatabaseURL                *string  `json:"DATABASE_URL"`
 	DatabaseName               *string  `json:"DATABASE_NAME"`
diff --git a/server/graph/schema.graphqls b/server/graph/schema.graphqls
index 39b5c17..98e8d3b 100644
--- a/server/graph/schema.graphqls
+++ b/server/graph/schema.graphqls
@@ -100,7 +100,7 @@ type Env {
 
 input UpdateEnvInput {
 	ADMIN_SECRET: String
-	CONFIRM_ADMIN_SECRET: String
+	OLD_ADMIN_SECRET: String
 	DATABASE_TYPE: String
 	DATABASE_URL: String
 	DATABASE_NAME: String
diff --git a/server/graph/schema.resolvers.go b/server/graph/schema.resolvers.go
index fd8db59..eafdc57 100644
--- a/server/graph/schema.resolvers.go
+++ b/server/graph/schema.resolvers.go
@@ -105,7 +105,5 @@ func (r *Resolver) Mutation() generated.MutationResolver { return &mutationResol
 // Query returns generated.QueryResolver implementation.
 func (r *Resolver) Query() generated.QueryResolver { return &queryResolver{r} }
 
-type (
-	mutationResolver struct{ *Resolver }
-	queryResolver    struct{ *Resolver }
-)
+type mutationResolver struct{ *Resolver }
+type queryResolver struct{ *Resolver }
diff --git a/server/resolvers/update_env.go b/server/resolvers/update_env.go
index b9881ae..5113fd3 100644
--- a/server/resolvers/update_env.go
+++ b/server/resolvers/update_env.go
@@ -3,6 +3,7 @@ package resolvers
 import (
 	"context"
 	"encoding/json"
+	"errors"
 	"fmt"
 	"log"
 	"reflect"
@@ -12,6 +13,7 @@ import (
 	"github.com/authorizerdev/authorizer/server/envstore"
 	"github.com/authorizerdev/authorizer/server/graph/model"
 	"github.com/authorizerdev/authorizer/server/utils"
+	"golang.org/x/crypto/bcrypt"
 )
 
 // UpdateEnvResolver is a resolver for update config mutation
@@ -89,6 +91,15 @@ func UpdateEnvResolver(ctx context.Context, params model.UpdateEnvInput) (*model
 
 	// in case of admin secret change update the cookie with new hash
 	if params.AdminSecret != nil {
+		if params.OldAdminSecret == nil {
+			return res, errors.New("admin secret and old admin secret are required for secret change")
+		}
+
+		err := bcrypt.CompareHashAndPassword([]byte(*params.OldAdminSecret), []byte(envstore.EnvInMemoryStoreObj.GetEnvVariable(constants.EnvKeyAdminSecret).(string)))
+		if err != nil {
+			return res, errors.New("old admin secret is not correct")
+		}
+
 		hashedKey, err := utils.EncryptPassword(envstore.EnvInMemoryStoreObj.GetEnvVariable(constants.EnvKeyAdminSecret).(string))
 		if err != nil {
 			return res, err