fix(server): add old secret check for admin secret update

2022-01-17 13:20:32 +05:30 · 2022-01-17 13:20:32 +05:30 · 3b4d0d9769
commit 3b4d0d9769
parent c15b65b473
5 changed files with 19 additions and 10 deletions
--- a/server/graph/generated/generated.go
+++ b/server/graph/generated/generated.go
@ -1093,7 +1093,7 @@ type Env {

 input UpdateEnvInput {
 	ADMIN_SECRET: String
-	CONFIRM_ADMIN_SECRET: String
+	OLD_ADMIN_SECRET: String
 	DATABASE_TYPE: String
 	DATABASE_URL: String
 	DATABASE_NAME: String
@ -6258,11 +6258,11 @@ func (ec *executionContext) unmarshalInputUpdateEnvInput(ctx context.Context, ob
 			if err != nil {
 				return it, err
 			}
-		case "CONFIRM_ADMIN_SECRET":
+		case "OLD_ADMIN_SECRET":
 			var err error

-			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("CONFIRM_ADMIN_SECRET"))
-			it.ConfirmAdminSecret, err = ec.unmarshalOString2ᚖstring(ctx, v)
+			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("OLD_ADMIN_SECRET"))
+			it.OldAdminSecret, err = ec.unmarshalOString2ᚖstring(ctx, v)
 			if err != nil {
 				return it, err
 			}
--- a/server/graph/model/models_gen.go
+++ b/server/graph/model/models_gen.go
@ -119,7 +119,7 @@ type SignUpInput struct {

 type UpdateEnvInput struct {
 	AdminSecret                *string  `json:"ADMIN_SECRET"`
-	ConfirmAdminSecret         *string  `json:"CONFIRM_ADMIN_SECRET"`
+	OldAdminSecret             *string  `json:"OLD_ADMIN_SECRET"`
 	DatabaseType               *string  `json:"DATABASE_TYPE"`
 	DatabaseURL                *string  `json:"DATABASE_URL"`
 	DatabaseName               *string  `json:"DATABASE_NAME"`
--- a/server/graph/schema.graphqls
+++ b/server/graph/schema.graphqls
@ -100,7 +100,7 @@ type Env {

 input UpdateEnvInput {
 	ADMIN_SECRET: String
-	CONFIRM_ADMIN_SECRET: String
+	OLD_ADMIN_SECRET: String
 	DATABASE_TYPE: String
 	DATABASE_URL: String
 	DATABASE_NAME: String
--- a/server/graph/schema.resolvers.go
+++ b/server/graph/schema.resolvers.go
@ -105,7 +105,5 @@ func (r *Resolver) Mutation() generated.MutationResolver { return &mutationResol
 // Query returns generated.QueryResolver implementation.
 func (r *Resolver) Query() generated.QueryResolver { return &queryResolver{r} }

-type (
-	mutationResolver struct{ *Resolver }
-	queryResolver    struct{ *Resolver }
-)
+type mutationResolver struct{ *Resolver }
+type queryResolver struct{ *Resolver }
--- a/server/resolvers/update_env.go
+++ b/server/resolvers/update_env.go
@ -3,6 +3,7 @@ package resolvers
 import (
 	"context"
 	"encoding/json"
+	"errors"
 	"fmt"
 	"log"
 	"reflect"
@ -12,6 +13,7 @@ import (
 	"github.com/authorizerdev/authorizer/server/envstore"
 	"github.com/authorizerdev/authorizer/server/graph/model"
 	"github.com/authorizerdev/authorizer/server/utils"
+	"golang.org/x/crypto/bcrypt"
 )

 // UpdateEnvResolver is a resolver for update config mutation
@ -89,6 +91,15 @@ func UpdateEnvResolver(ctx context.Context, params model.UpdateEnvInput) (*model

 	// in case of admin secret change update the cookie with new hash
 	if params.AdminSecret != nil {
+		if params.OldAdminSecret == nil {
+			return res, errors.New("admin secret and old admin secret are required for secret change")
+		}
+
+		err := bcrypt.CompareHashAndPassword([]byte(*params.OldAdminSecret), []byte(envstore.EnvInMemoryStoreObj.GetEnvVariable(constants.EnvKeyAdminSecret).(string)))
+		if err != nil {
+			return res, errors.New("old admin secret is not correct")
+		}
+
 		hashedKey, err := utils.EncryptPassword(envstore.EnvInMemoryStoreObj.GetEnvVariable(constants.EnvKeyAdminSecret).(string))
 		if err != nil {
 			return res, err