refactor: hash refresh token secret

supalarry · supalarry · commit 08ccf0d88d00 · 2026-02-19T14:32:40.000+01:00
diff --git a/packages/features/oauth/services/OAuthService.ts b/packages/features/oauth/services/OAuthService.ts
@@ -4,7 +4,7 @@ import type { TeamRepository } from "@calcom/features/ee/teams/repositories/Team
 import type { AccessCodeRepository } from "@calcom/features/oauth/repositories/AccessCodeRepository";
 import type { OAuthClientRepository } from "@calcom/features/oauth/repositories/OAuthClientRepository";
 import type { OAuthRefreshTokenRepository } from "@calcom/features/oauth/repositories/OAuthRefreshTokenRepository";
-import { generateSecret } from "@calcom/features/oauth/utils/generateSecret";
+import { generateSecret, hashSecretKey } from "@calcom/features/oauth/utils/generateSecret";
 import { ErrorCode } from "@calcom/lib/errorCodes";
 import { ErrorWithCode } from "@calcom/lib/errors";
 import { verifyCodeChallenge } from "@calcom/lib/pkce";
@@ -327,7 +327,7 @@ export class OAuthService {
     });
 
     await this.oAuthRefreshTokenRepository.create({
-      secret: tokens.refreshTokenSecret,
+      secret: hashSecretKey(tokens.refreshTokenSecret),
       clientId,
       userId: accessCode.userId,
       teamId: accessCode.teamId,
@@ -369,7 +369,8 @@ export class OAuthService {
     // note(Lauris): legacy tokens (issued before invalidating old refresh tokens was implemented) won't have a secret,
     // so we accept them once and issue new tokens with a secret.
     if (decodedToken.secret) {
-      const storedToken = await this.oAuthRefreshTokenRepository.findBySecret(decodedToken.secret);
+      const hashedSecret = hashSecretKey(decodedToken.secret);
+      const storedToken = await this.oAuthRefreshTokenRepository.findBySecret(hashedSecret);
       if (!storedToken) {
         throw new ErrorWithCode(ErrorCode.BadRequest, "invalid_grant", { reason: "refresh_token_revoked" });
       }
@@ -386,14 +387,14 @@ export class OAuthService {
       await this.oAuthRefreshTokenRepository.rotateTokenForUser({
         clientId,
         userId: decodedToken.userId,
-        newSecret: tokens.refreshTokenSecret,
+        newSecret: hashSecretKey(tokens.refreshTokenSecret),
         expiresInSeconds: tokens.refreshTokenExpiresIn,
       });
     } else if (decodedToken.teamId) {
       await this.oAuthRefreshTokenRepository.rotateTokenForTeam({
         clientId,
         teamId: decodedToken.teamId,
-        newSecret: tokens.refreshTokenSecret,
+        newSecret: hashSecretKey(tokens.refreshTokenSecret),
         expiresInSeconds: tokens.refreshTokenExpiresIn,
       });
     } else {
