fix: skip hashing unloaded env reference (#3029)

sweatybridge · web-flow · commit 55fc7042155f · 2025-01-11T03:22:01.000+08:00
* fix: skip hashing unloaded env reference

* fix: zero maps and arrays before unmarshaling
diff --git a/pkg/config/auth.go b/pkg/config/auth.go
@@ -265,23 +265,23 @@ func (h hook) toAuthConfigBody(body *v1API.UpdateAuthConfigBody) {
 	if hook := h.CustomAccessToken; hook != nil {
 		if body.HookCustomAccessTokenEnabled = &hook.Enabled; hook.Enabled {
 			body.HookCustomAccessTokenUri = &hook.URI
-			if len(hook.Secrets.Value) > 0 {
+			if len(hook.Secrets.SHA256) > 0 {
 				body.HookCustomAccessTokenSecrets = &hook.Secrets.Value
 			}
 		}
 	}
 	if hook := h.SendEmail; hook != nil {
 		if body.HookSendEmailEnabled = &hook.Enabled; hook.Enabled {
 			body.HookSendEmailUri = &hook.URI
-			if len(hook.Secrets.Value) > 0 {
+			if len(hook.Secrets.SHA256) > 0 {
 				body.HookSendEmailSecrets = &hook.Secrets.Value
 			}
 		}
 	}
 	if hook := h.SendSMS; hook != nil {
 		if body.HookSendSmsEnabled = &hook.Enabled; hook.Enabled {
 			body.HookSendSmsUri = &hook.URI
-			if len(hook.Secrets.Value) > 0 {
+			if len(hook.Secrets.SHA256) > 0 {
 				body.HookSendSmsSecrets = &hook.Secrets.Value
 			}
 		}
@@ -290,15 +290,15 @@ func (h hook) toAuthConfigBody(body *v1API.UpdateAuthConfigBody) {
 	if hook := h.MFAVerificationAttempt; hook != nil {
 		if body.HookMfaVerificationAttemptEnabled = &hook.Enabled; hook.Enabled {
 			body.HookMfaVerificationAttemptUri = &hook.URI
-			if len(hook.Secrets.Value) > 0 {
+			if len(hook.Secrets.SHA256) > 0 {
 				body.HookMfaVerificationAttemptSecrets = &hook.Secrets.Value
 			}
 		}
 	}
 	if hook := h.PasswordVerificationAttempt; hook != nil {
 		if body.HookPasswordVerificationAttemptEnabled = &hook.Enabled; hook.Enabled {
 			body.HookPasswordVerificationAttemptUri = &hook.URI
-			if len(hook.Secrets.Value) > 0 {
+			if len(hook.Secrets.SHA256) > 0 {
 				body.HookPasswordVerificationAttemptSecrets = &hook.Secrets.Value
 			}
 		}
@@ -512,7 +512,7 @@ func (s smtp) toAuthConfigBody(body *v1API.UpdateAuthConfigBody) {
 	body.SmtpHost = &s.Host
 	body.SmtpPort = cast.Ptr(strconv.Itoa(int(s.Port)))
 	body.SmtpUser = &s.User
-	if len(s.Pass.Value) > 0 {
+	if len(s.Pass.SHA256) > 0 {
 		body.SmtpPass = &s.Pass.Value
 	}
 	body.SmtpAdminEmail = &s.AdminEmail
@@ -556,33 +556,33 @@ func (s sms) toAuthConfigBody(body *v1API.UpdateAuthConfigBody) {
 	switch {
 	case s.Twilio.Enabled:
 		body.SmsProvider = cast.Ptr("twilio")
-		if len(s.Twilio.AuthToken.Value) > 0 {
+		if len(s.Twilio.AuthToken.SHA256) > 0 {
 			body.SmsTwilioAuthToken = &s.Twilio.AuthToken.Value
 		}
 		body.SmsTwilioAccountSid = &s.Twilio.AccountSid
 		body.SmsTwilioMessageServiceSid = &s.Twilio.MessageServiceSid
 	case s.TwilioVerify.Enabled:
 		body.SmsProvider = cast.Ptr("twilio_verify")
-		if len(s.TwilioVerify.AuthToken.Value) > 0 {
+		if len(s.TwilioVerify.AuthToken.SHA256) > 0 {
 			body.SmsTwilioVerifyAuthToken = &s.TwilioVerify.AuthToken.Value
 		}
 		body.SmsTwilioVerifyAccountSid = &s.TwilioVerify.AccountSid
 		body.SmsTwilioVerifyMessageServiceSid = &s.TwilioVerify.MessageServiceSid
 	case s.Messagebird.Enabled:
 		body.SmsProvider = cast.Ptr("messagebird")
-		if len(s.Messagebird.AccessKey.Value) > 0 {
+		if len(s.Messagebird.AccessKey.SHA256) > 0 {
 			body.SmsMessagebirdAccessKey = &s.Messagebird.AccessKey.Value
 		}
 		body.SmsMessagebirdOriginator = &s.Messagebird.Originator
 	case s.Textlocal.Enabled:
 		body.SmsProvider = cast.Ptr("textlocal")
-		if len(s.Textlocal.ApiKey.Value) > 0 {
+		if len(s.Textlocal.ApiKey.SHA256) > 0 {
 			body.SmsTextlocalApiKey = &s.Textlocal.ApiKey.Value
 		}
 		body.SmsTextlocalSender = &s.Textlocal.Sender
 	case s.Vonage.Enabled:
 		body.SmsProvider = cast.Ptr("vonage")
-		if len(s.Vonage.ApiSecret.Value) > 0 {
+		if len(s.Vonage.ApiSecret.SHA256) > 0 {
 			body.SmsVonageApiSecret = &s.Vonage.ApiSecret.Value
 		}
 		body.SmsVonageApiKey = &s.Vonage.ApiKey
@@ -647,15 +647,15 @@ func (e external) toAuthConfigBody(body *v1API.UpdateAuthConfigBody) {
 	if p, ok := e["apple"]; ok {
 		if body.ExternalAppleEnabled = &p.Enabled; *body.ExternalAppleEnabled {
 			body.ExternalAppleClientId = &p.ClientId
-			if len(p.Secret.Value) > 0 {
+			if len(p.Secret.SHA256) > 0 {
 				body.ExternalAppleSecret = &p.Secret.Value
 			}
 		}
 	}
 	if p, ok := e["azure"]; ok {
 		if body.ExternalAzureEnabled = &p.Enabled; *body.ExternalAzureEnabled {
 			body.ExternalAzureClientId = &p.ClientId
-			if len(p.Secret.Value) > 0 {
+			if len(p.Secret.SHA256) > 0 {
 				body.ExternalAzureSecret = &p.Secret.Value
 			}
 			body.ExternalAzureUrl = &p.Url
@@ -664,47 +664,47 @@ func (e external) toAuthConfigBody(body *v1API.UpdateAuthConfigBody) {
 	if p, ok := e["bitbucket"]; ok {
 		if body.ExternalBitbucketEnabled = &p.Enabled; *body.ExternalBitbucketEnabled {
 			body.ExternalBitbucketClientId = &p.ClientId
-			if len(p.Secret.Value) > 0 {
+			if len(p.Secret.SHA256) > 0 {
 				body.ExternalBitbucketSecret = &p.Secret.Value
 			}
 		}
 	}
 	if p, ok := e["discord"]; ok {
 		if body.ExternalDiscordEnabled = &p.Enabled; *body.ExternalDiscordEnabled {
 			body.ExternalDiscordClientId = &p.ClientId
-			if len(p.Secret.Value) > 0 {
+			if len(p.Secret.SHA256) > 0 {
 				body.ExternalDiscordSecret = &p.Secret.Value
 			}
 		}
 	}
 	if p, ok := e["facebook"]; ok {
 		if body.ExternalFacebookEnabled = &p.Enabled; *body.ExternalFacebookEnabled {
 			body.ExternalFacebookClientId = &p.ClientId
-			if len(p.Secret.Value) > 0 {
+			if len(p.Secret.SHA256) > 0 {
 				body.ExternalFacebookSecret = &p.Secret.Value
 			}
 		}
 	}
 	if p, ok := e["figma"]; ok {
 		if body.ExternalFigmaEnabled = &p.Enabled; *body.ExternalFigmaEnabled {
 			body.ExternalFigmaClientId = &p.ClientId
-			if len(p.Secret.Value) > 0 {
+			if len(p.Secret.SHA256) > 0 {
 				body.ExternalFigmaSecret = &p.Secret.Value
 			}
 		}
 	}
 	if p, ok := e["github"]; ok {
 		if body.ExternalGithubEnabled = &p.Enabled; *body.ExternalGithubEnabled {
 			body.ExternalGithubClientId = &p.ClientId
-			if len(p.Secret.Value) > 0 {
+			if len(p.Secret.SHA256) > 0 {
 				body.ExternalGithubSecret = &p.Secret.Value
 			}
 		}
 	}
 	if p, ok := e["gitlab"]; ok {
 		if body.ExternalGitlabEnabled = &p.Enabled; *body.ExternalGitlabEnabled {
 			body.ExternalGitlabClientId = &p.ClientId
-			if len(p.Secret.Value) > 0 {
+			if len(p.Secret.SHA256) > 0 {
 				body.ExternalGitlabSecret = &p.Secret.Value
 			}
 			body.ExternalGitlabUrl = &p.Url
@@ -713,7 +713,7 @@ func (e external) toAuthConfigBody(body *v1API.UpdateAuthConfigBody) {
 	if p, ok := e["google"]; ok {
 		if body.ExternalGoogleEnabled = &p.Enabled; *body.ExternalGoogleEnabled {
 			body.ExternalGoogleClientId = &p.ClientId
-			if len(p.Secret.Value) > 0 {
+			if len(p.Secret.SHA256) > 0 {
 				body.ExternalGoogleSecret = &p.Secret.Value
 			}
 			body.ExternalGoogleSkipNonceCheck = &p.SkipNonceCheck
@@ -722,15 +722,15 @@ func (e external) toAuthConfigBody(body *v1API.UpdateAuthConfigBody) {
 	if p, ok := e["kakao"]; ok {
 		if body.ExternalKakaoEnabled = &p.Enabled; *body.ExternalKakaoEnabled {
 			body.ExternalKakaoClientId = &p.ClientId
-			if len(p.Secret.Value) > 0 {
+			if len(p.Secret.SHA256) > 0 {
 				body.ExternalKakaoSecret = &p.Secret.Value
 			}
 		}
 	}
 	if p, ok := e["keycloak"]; ok {
 		if body.ExternalKeycloakEnabled = &p.Enabled; *body.ExternalKeycloakEnabled {
 			body.ExternalKeycloakClientId = &p.ClientId
-			if len(p.Secret.Value) > 0 {
+			if len(p.Secret.SHA256) > 0 {
 				body.ExternalKeycloakSecret = &p.Secret.Value
 			}
 			body.ExternalKeycloakUrl = &p.Url
@@ -739,55 +739,55 @@ func (e external) toAuthConfigBody(body *v1API.UpdateAuthConfigBody) {
 	if p, ok := e["linkedin_oidc"]; ok {
 		if body.ExternalLinkedinOidcEnabled = &p.Enabled; *body.ExternalLinkedinOidcEnabled {
 			body.ExternalLinkedinOidcClientId = &p.ClientId
-			if len(p.Secret.Value) > 0 {
+			if len(p.Secret.SHA256) > 0 {
 				body.ExternalLinkedinOidcSecret = &p.Secret.Value
 			}
 		}
 	}
 	if p, ok := e["notion"]; ok {
 		if body.ExternalNotionEnabled = &p.Enabled; *body.ExternalNotionEnabled {
 			body.ExternalNotionClientId = &p.ClientId
-			if len(p.Secret.Value) > 0 {
+			if len(p.Secret.SHA256) > 0 {
 				body.ExternalNotionSecret = &p.Secret.Value
 			}
 		}
 	}
 	if p, ok := e["slack_oidc"]; ok {
 		if body.ExternalSlackOidcEnabled = &p.Enabled; *body.ExternalSlackOidcEnabled {
 			body.ExternalSlackOidcClientId = &p.ClientId
-			if len(p.Secret.Value) > 0 {
+			if len(p.Secret.SHA256) > 0 {
 				body.ExternalSlackOidcSecret = &p.Secret.Value
 			}
 		}
 	}
 	if p, ok := e["spotify"]; ok {
 		if body.ExternalSpotifyEnabled = &p.Enabled; *body.ExternalSpotifyEnabled {
 			body.ExternalSpotifyClientId = &p.ClientId
-			if len(p.Secret.Value) > 0 {
+			if len(p.Secret.SHA256) > 0 {
 				body.ExternalSpotifySecret = &p.Secret.Value
 			}
 		}
 	}
 	if p, ok := e["twitch"]; ok {
 		if body.ExternalTwitchEnabled = &p.Enabled; *body.ExternalTwitchEnabled {
 			body.ExternalTwitchClientId = &p.ClientId
-			if len(p.Secret.Value) > 0 {
+			if len(p.Secret.SHA256) > 0 {
 				body.ExternalTwitchSecret = &p.Secret.Value
 			}
 		}
 	}
 	if p, ok := e["twitter"]; ok {
 		if body.ExternalTwitterEnabled = &p.Enabled; *body.ExternalTwitterEnabled {
 			body.ExternalTwitterClientId = &p.ClientId
-			if len(p.Secret.Value) > 0 {
+			if len(p.Secret.SHA256) > 0 {
 				body.ExternalTwitterSecret = &p.Secret.Value
 			}
 		}
 	}
 	if p, ok := e["workos"]; ok {
 		if body.ExternalWorkosEnabled = &p.Enabled; *body.ExternalWorkosEnabled {
 			body.ExternalWorkosClientId = &p.ClientId
-			if len(p.Secret.Value) > 0 {
+			if len(p.Secret.SHA256) > 0 {
 				body.ExternalWorkosSecret = &p.Secret.Value
 			}
 			body.ExternalWorkosUrl = &p.Url
@@ -796,7 +796,7 @@ func (e external) toAuthConfigBody(body *v1API.UpdateAuthConfigBody) {
 	if p, ok := e["zoom"]; ok {
 		if body.ExternalZoomEnabled = &p.Enabled; *body.ExternalZoomEnabled {
 			body.ExternalZoomClientId = &p.ClientId
-			if len(p.Secret.Value) > 0 {
+			if len(p.Secret.SHA256) > 0 {
 				body.ExternalZoomSecret = &p.Secret.Value
 			}
 		}
diff --git a/pkg/config/config.go b/pkg/config/config.go
@@ -433,6 +433,7 @@ func (c *config) loadFromReader(v *viper.Viper, r io.Reader) error {
 	if err := v.UnmarshalExact(c, func(dc *mapstructure.DecoderConfig) {
 		dc.TagName = "toml"
 		dc.Squash = true
+		dc.ZeroFields = true
 		dc.DecodeHook = c.newDecodeHook(LoadEnvHook)
 	}); err != nil {
 		return errors.Errorf("failed to parse config: %w", err)
diff --git a/pkg/config/secret.go b/pkg/config/secret.go
@@ -64,17 +64,16 @@ func DecryptSecretHookFunc(hashKey string) mapstructure.DecodeHookFunc {
 		if t != reflect.TypeOf(result) {
 			return data, nil
 		}
-		ciphertext := data.(string)
-		// Skip hashing unloaded env
-		if matches := envPattern.FindStringSubmatch(ciphertext); len(matches) > 1 {
-			return result, nil
-		}
 		var err error
 		privKey := os.Getenv("DOTENV_PRIVATE_KEY")
 		for _, k := range strings.Split(privKey, ",") {
-			result.Value, err = decrypt(k, ciphertext)
-			if err == nil && len(result.Value) > 0 {
-				result.SHA256 = sha256Hmac(hashKey, result.Value)
+			// Use the first private key that successfully decrypts the secret
+			if result.Value, err = decrypt(k, data.(string)); err == nil {
+				// Unloaded env() references may be returned verbatim.
+				// Don't hash those values as they are meaningless.
+				if !envPattern.MatchString(result.Value) {
+					result.SHA256 = sha256Hmac(hashKey, result.Value)
+				}
 				break
 			}
 		}

Original file line number	Diff line number	Diff line change
`@@ -265,23 +265,23 @@ func (h hook) toAuthConfigBody(body *v1API.UpdateAuthConfigBody) {`
`265`	`265`	`if hook := h.CustomAccessToken; hook != nil {`
`266`	`266`	`if body.HookCustomAccessTokenEnabled = &hook.Enabled; hook.Enabled {`
`267`	`267`	`body.HookCustomAccessTokenUri = &hook.URI`
`268`		`- if len(hook.Secrets.Value) > 0 {`
	`268`	`+ if len(hook.Secrets.SHA256) > 0 {`
`269`	`269`	`body.HookCustomAccessTokenSecrets = &hook.Secrets.Value`
`270`	`270`	`}`
`271`	`271`	`}`
`272`	`272`	`}`
`273`	`273`	`if hook := h.SendEmail; hook != nil {`
`274`	`274`	`if body.HookSendEmailEnabled = &hook.Enabled; hook.Enabled {`
`275`	`275`	`body.HookSendEmailUri = &hook.URI`
`276`		`- if len(hook.Secrets.Value) > 0 {`
	`276`	`+ if len(hook.Secrets.SHA256) > 0 {`
`277`	`277`	`body.HookSendEmailSecrets = &hook.Secrets.Value`
`278`	`278`	`}`
`279`	`279`	`}`
`280`	`280`	`}`
`281`	`281`	`if hook := h.SendSMS; hook != nil {`
`282`	`282`	`if body.HookSendSmsEnabled = &hook.Enabled; hook.Enabled {`
`283`	`283`	`body.HookSendSmsUri = &hook.URI`
`284`		`- if len(hook.Secrets.Value) > 0 {`
	`284`	`+ if len(hook.Secrets.SHA256) > 0 {`
`285`	`285`	`body.HookSendSmsSecrets = &hook.Secrets.Value`
`286`	`286`	`}`
`287`	`287`	`}`
`@@ -290,15 +290,15 @@ func (h hook) toAuthConfigBody(body *v1API.UpdateAuthConfigBody) {`
`290`	`290`	`if hook := h.MFAVerificationAttempt; hook != nil {`
`291`	`291`	`if body.HookMfaVerificationAttemptEnabled = &hook.Enabled; hook.Enabled {`
`292`	`292`	`body.HookMfaVerificationAttemptUri = &hook.URI`
`293`		`- if len(hook.Secrets.Value) > 0 {`
	`293`	`+ if len(hook.Secrets.SHA256) > 0 {`
`294`	`294`	`body.HookMfaVerificationAttemptSecrets = &hook.Secrets.Value`
`295`	`295`	`}`
`296`	`296`	`}`
`297`	`297`	`}`
`298`	`298`	`if hook := h.PasswordVerificationAttempt; hook != nil {`
`299`	`299`	`if body.HookPasswordVerificationAttemptEnabled = &hook.Enabled; hook.Enabled {`
`300`	`300`	`body.HookPasswordVerificationAttemptUri = &hook.URI`
`301`		`- if len(hook.Secrets.Value) > 0 {`
	`301`	`+ if len(hook.Secrets.SHA256) > 0 {`
`302`	`302`	`body.HookPasswordVerificationAttemptSecrets = &hook.Secrets.Value`
`303`	`303`	`}`
`304`	`304`	`}`
`@@ -512,7 +512,7 @@ func (s smtp) toAuthConfigBody(body *v1API.UpdateAuthConfigBody) {`
`512`	`512`	`body.SmtpHost = &s.Host`
`513`	`513`	`body.SmtpPort = cast.Ptr(strconv.Itoa(int(s.Port)))`
`514`	`514`	`body.SmtpUser = &s.User`
`515`		`- if len(s.Pass.Value) > 0 {`
	`515`	`+ if len(s.Pass.SHA256) > 0 {`
`516`	`516`	`body.SmtpPass = &s.Pass.Value`
`517`	`517`	`}`
`518`	`518`	`body.SmtpAdminEmail = &s.AdminEmail`
`@@ -556,33 +556,33 @@ func (s sms) toAuthConfigBody(body *v1API.UpdateAuthConfigBody) {`
`556`	`556`	`switch {`
`557`	`557`	`case s.Twilio.Enabled:`
`558`	`558`	`body.SmsProvider = cast.Ptr("twilio")`
`559`		`- if len(s.Twilio.AuthToken.Value) > 0 {`
	`559`	`+ if len(s.Twilio.AuthToken.SHA256) > 0 {`
`560`	`560`	`body.SmsTwilioAuthToken = &s.Twilio.AuthToken.Value`
`561`	`561`	`}`
`562`	`562`	`body.SmsTwilioAccountSid = &s.Twilio.AccountSid`
`563`	`563`	`body.SmsTwilioMessageServiceSid = &s.Twilio.MessageServiceSid`
`564`	`564`	`case s.TwilioVerify.Enabled:`
`565`	`565`	`body.SmsProvider = cast.Ptr("twilio_verify")`
`566`		`- if len(s.TwilioVerify.AuthToken.Value) > 0 {`
	`566`	`+ if len(s.TwilioVerify.AuthToken.SHA256) > 0 {`
`567`	`567`	`body.SmsTwilioVerifyAuthToken = &s.TwilioVerify.AuthToken.Value`
`568`	`568`	`}`
`569`	`569`	`body.SmsTwilioVerifyAccountSid = &s.TwilioVerify.AccountSid`
`570`	`570`	`body.SmsTwilioVerifyMessageServiceSid = &s.TwilioVerify.MessageServiceSid`
`571`	`571`	`case s.Messagebird.Enabled:`
`572`	`572`	`body.SmsProvider = cast.Ptr("messagebird")`
`573`		`- if len(s.Messagebird.AccessKey.Value) > 0 {`
	`573`	`+ if len(s.Messagebird.AccessKey.SHA256) > 0 {`
`574`	`574`	`body.SmsMessagebirdAccessKey = &s.Messagebird.AccessKey.Value`
`575`	`575`	`}`
`576`	`576`	`body.SmsMessagebirdOriginator = &s.Messagebird.Originator`
`577`	`577`	`case s.Textlocal.Enabled:`
`578`	`578`	`body.SmsProvider = cast.Ptr("textlocal")`
`579`		`- if len(s.Textlocal.ApiKey.Value) > 0 {`
	`579`	`+ if len(s.Textlocal.ApiKey.SHA256) > 0 {`
`580`	`580`	`body.SmsTextlocalApiKey = &s.Textlocal.ApiKey.Value`
`581`	`581`	`}`
`582`	`582`	`body.SmsTextlocalSender = &s.Textlocal.Sender`
`583`	`583`	`case s.Vonage.Enabled:`
`584`	`584`	`body.SmsProvider = cast.Ptr("vonage")`
`585`		`- if len(s.Vonage.ApiSecret.Value) > 0 {`
	`585`	`+ if len(s.Vonage.ApiSecret.SHA256) > 0 {`
`586`	`586`	`body.SmsVonageApiSecret = &s.Vonage.ApiSecret.Value`
`587`	`587`	`}`
`588`	`588`	`body.SmsVonageApiKey = &s.Vonage.ApiKey`
`@@ -647,15 +647,15 @@ func (e external) toAuthConfigBody(body *v1API.UpdateAuthConfigBody) {`
`647`	`647`	`if p, ok := e["apple"]; ok {`
`648`	`648`	`if body.ExternalAppleEnabled = &p.Enabled; *body.ExternalAppleEnabled {`
`649`	`649`	`body.ExternalAppleClientId = &p.ClientId`
`650`		`- if len(p.Secret.Value) > 0 {`
	`650`	`+ if len(p.Secret.SHA256) > 0 {`
`651`	`651`	`body.ExternalAppleSecret = &p.Secret.Value`
`652`	`652`	`}`
`653`	`653`	`}`
`654`	`654`	`}`
`655`	`655`	`if p, ok := e["azure"]; ok {`
`656`	`656`	`if body.ExternalAzureEnabled = &p.Enabled; *body.ExternalAzureEnabled {`
`657`	`657`	`body.ExternalAzureClientId = &p.ClientId`
`658`		`- if len(p.Secret.Value) > 0 {`
	`658`	`+ if len(p.Secret.SHA256) > 0 {`
`659`	`659`	`body.ExternalAzureSecret = &p.Secret.Value`
`660`	`660`	`}`
`661`	`661`	`body.ExternalAzureUrl = &p.Url`
`@@ -664,47 +664,47 @@ func (e external) toAuthConfigBody(body *v1API.UpdateAuthConfigBody) {`
`664`	`664`	`if p, ok := e["bitbucket"]; ok {`
`665`	`665`	`if body.ExternalBitbucketEnabled = &p.Enabled; *body.ExternalBitbucketEnabled {`
`666`	`666`	`body.ExternalBitbucketClientId = &p.ClientId`
`667`		`- if len(p.Secret.Value) > 0 {`
	`667`	`+ if len(p.Secret.SHA256) > 0 {`
`668`	`668`	`body.ExternalBitbucketSecret = &p.Secret.Value`
`669`	`669`	`}`
`670`	`670`	`}`
`671`	`671`	`}`
`672`	`672`	`if p, ok := e["discord"]; ok {`
`673`	`673`	`if body.ExternalDiscordEnabled = &p.Enabled; *body.ExternalDiscordEnabled {`
`674`	`674`	`body.ExternalDiscordClientId = &p.ClientId`
`675`		`- if len(p.Secret.Value) > 0 {`
	`675`	`+ if len(p.Secret.SHA256) > 0 {`
`676`	`676`	`body.ExternalDiscordSecret = &p.Secret.Value`
`677`	`677`	`}`
`678`	`678`	`}`
`679`	`679`	`}`
`680`	`680`	`if p, ok := e["facebook"]; ok {`
`681`	`681`	`if body.ExternalFacebookEnabled = &p.Enabled; *body.ExternalFacebookEnabled {`
`682`	`682`	`body.ExternalFacebookClientId = &p.ClientId`
`683`		`- if len(p.Secret.Value) > 0 {`
	`683`	`+ if len(p.Secret.SHA256) > 0 {`
`684`	`684`	`body.ExternalFacebookSecret = &p.Secret.Value`
`685`	`685`	`}`
`686`	`686`	`}`
`687`	`687`	`}`
`688`	`688`	`if p, ok := e["figma"]; ok {`
`689`	`689`	`if body.ExternalFigmaEnabled = &p.Enabled; *body.ExternalFigmaEnabled {`
`690`	`690`	`body.ExternalFigmaClientId = &p.ClientId`
`691`		`- if len(p.Secret.Value) > 0 {`
	`691`	`+ if len(p.Secret.SHA256) > 0 {`
`692`	`692`	`body.ExternalFigmaSecret = &p.Secret.Value`
`693`	`693`	`}`
`694`	`694`	`}`
`695`	`695`	`}`
`696`	`696`	`if p, ok := e["github"]; ok {`
`697`	`697`	`if body.ExternalGithubEnabled = &p.Enabled; *body.ExternalGithubEnabled {`
`698`	`698`	`body.ExternalGithubClientId = &p.ClientId`
`699`		`- if len(p.Secret.Value) > 0 {`
	`699`	`+ if len(p.Secret.SHA256) > 0 {`
`700`	`700`	`body.ExternalGithubSecret = &p.Secret.Value`
`701`	`701`	`}`
`702`	`702`	`}`
`703`	`703`	`}`
`704`	`704`	`if p, ok := e["gitlab"]; ok {`
`705`	`705`	`if body.ExternalGitlabEnabled = &p.Enabled; *body.ExternalGitlabEnabled {`
`706`	`706`	`body.ExternalGitlabClientId = &p.ClientId`
`707`		`- if len(p.Secret.Value) > 0 {`
	`707`	`+ if len(p.Secret.SHA256) > 0 {`
`708`	`708`	`body.ExternalGitlabSecret = &p.Secret.Value`
`709`	`709`	`}`
`710`	`710`	`body.ExternalGitlabUrl = &p.Url`
`@@ -713,7 +713,7 @@ func (e external) toAuthConfigBody(body *v1API.UpdateAuthConfigBody) {`
`713`	`713`	`if p, ok := e["google"]; ok {`
`714`	`714`	`if body.ExternalGoogleEnabled = &p.Enabled; *body.ExternalGoogleEnabled {`
`715`	`715`	`body.ExternalGoogleClientId = &p.ClientId`
`716`		`- if len(p.Secret.Value) > 0 {`
	`716`	`+ if len(p.Secret.SHA256) > 0 {`
`717`	`717`	`body.ExternalGoogleSecret = &p.Secret.Value`
`718`	`718`	`}`
`719`	`719`	`body.ExternalGoogleSkipNonceCheck = &p.SkipNonceCheck`
`@@ -722,15 +722,15 @@ func (e external) toAuthConfigBody(body *v1API.UpdateAuthConfigBody) {`
`722`	`722`	`if p, ok := e["kakao"]; ok {`
`723`	`723`	`if body.ExternalKakaoEnabled = &p.Enabled; *body.ExternalKakaoEnabled {`
`724`	`724`	`body.ExternalKakaoClientId = &p.ClientId`
`725`		`- if len(p.Secret.Value) > 0 {`
	`725`	`+ if len(p.Secret.SHA256) > 0 {`
`726`	`726`	`body.ExternalKakaoSecret = &p.Secret.Value`
`727`	`727`	`}`
`728`	`728`	`}`
`729`	`729`	`}`
`730`	`730`	`if p, ok := e["keycloak"]; ok {`
`731`	`731`	`if body.ExternalKeycloakEnabled = &p.Enabled; *body.ExternalKeycloakEnabled {`
`732`	`732`	`body.ExternalKeycloakClientId = &p.ClientId`
`733`		`- if len(p.Secret.Value) > 0 {`
	`733`	`+ if len(p.Secret.SHA256) > 0 {`
`734`	`734`	`body.ExternalKeycloakSecret = &p.Secret.Value`
`735`	`735`	`}`
`736`	`736`	`body.ExternalKeycloakUrl = &p.Url`
`@@ -739,55 +739,55 @@ func (e external) toAuthConfigBody(body *v1API.UpdateAuthConfigBody) {`
`739`	`739`	`if p, ok := e["linkedin_oidc"]; ok {`
`740`	`740`	`if body.ExternalLinkedinOidcEnabled = &p.Enabled; *body.ExternalLinkedinOidcEnabled {`
`741`	`741`	`body.ExternalLinkedinOidcClientId = &p.ClientId`
`742`		`- if len(p.Secret.Value) > 0 {`
	`742`	`+ if len(p.Secret.SHA256) > 0 {`
`743`	`743`	`body.ExternalLinkedinOidcSecret = &p.Secret.Value`
`744`	`744`	`}`
`745`	`745`	`}`
`746`	`746`	`}`
`747`	`747`	`if p, ok := e["notion"]; ok {`
`748`	`748`	`if body.ExternalNotionEnabled = &p.Enabled; *body.ExternalNotionEnabled {`
`749`	`749`	`body.ExternalNotionClientId = &p.ClientId`
`750`		`- if len(p.Secret.Value) > 0 {`
	`750`	`+ if len(p.Secret.SHA256) > 0 {`
`751`	`751`	`body.ExternalNotionSecret = &p.Secret.Value`
`752`	`752`	`}`
`753`	`753`	`}`
`754`	`754`	`}`
`755`	`755`	`if p, ok := e["slack_oidc"]; ok {`
`756`	`756`	`if body.ExternalSlackOidcEnabled = &p.Enabled; *body.ExternalSlackOidcEnabled {`
`757`	`757`	`body.ExternalSlackOidcClientId = &p.ClientId`
`758`		`- if len(p.Secret.Value) > 0 {`
	`758`	`+ if len(p.Secret.SHA256) > 0 {`
`759`	`759`	`body.ExternalSlackOidcSecret = &p.Secret.Value`
`760`	`760`	`}`
`761`	`761`	`}`
`762`	`762`	`}`
`763`	`763`	`if p, ok := e["spotify"]; ok {`
`764`	`764`	`if body.ExternalSpotifyEnabled = &p.Enabled; *body.ExternalSpotifyEnabled {`
`765`	`765`	`body.ExternalSpotifyClientId = &p.ClientId`
`766`		`- if len(p.Secret.Value) > 0 {`
	`766`	`+ if len(p.Secret.SHA256) > 0 {`
`767`	`767`	`body.ExternalSpotifySecret = &p.Secret.Value`
`768`	`768`	`}`
`769`	`769`	`}`
`770`	`770`	`}`
`771`	`771`	`if p, ok := e["twitch"]; ok {`
`772`	`772`	`if body.ExternalTwitchEnabled = &p.Enabled; *body.ExternalTwitchEnabled {`
`773`	`773`	`body.ExternalTwitchClientId = &p.ClientId`
`774`		`- if len(p.Secret.Value) > 0 {`
	`774`	`+ if len(p.Secret.SHA256) > 0 {`
`775`	`775`	`body.ExternalTwitchSecret = &p.Secret.Value`
`776`	`776`	`}`
`777`	`777`	`}`
`778`	`778`	`}`
`779`	`779`	`if p, ok := e["twitter"]; ok {`
`780`	`780`	`if body.ExternalTwitterEnabled = &p.Enabled; *body.ExternalTwitterEnabled {`
`781`	`781`	`body.ExternalTwitterClientId = &p.ClientId`
`782`		`- if len(p.Secret.Value) > 0 {`
	`782`	`+ if len(p.Secret.SHA256) > 0 {`
`783`	`783`	`body.ExternalTwitterSecret = &p.Secret.Value`
`784`	`784`	`}`
`785`	`785`	`}`
`786`	`786`	`}`
`787`	`787`	`if p, ok := e["workos"]; ok {`
`788`	`788`	`if body.ExternalWorkosEnabled = &p.Enabled; *body.ExternalWorkosEnabled {`
`789`	`789`	`body.ExternalWorkosClientId = &p.ClientId`
`790`		`- if len(p.Secret.Value) > 0 {`
	`790`	`+ if len(p.Secret.SHA256) > 0 {`
`791`	`791`	`body.ExternalWorkosSecret = &p.Secret.Value`
`792`	`792`	`}`
`793`	`793`	`body.ExternalWorkosUrl = &p.Url`
`@@ -796,7 +796,7 @@ func (e external) toAuthConfigBody(body *v1API.UpdateAuthConfigBody) {`
`796`	`796`	`if p, ok := e["zoom"]; ok {`
`797`	`797`	`if body.ExternalZoomEnabled = &p.Enabled; *body.ExternalZoomEnabled {`
`798`	`798`	`body.ExternalZoomClientId = &p.ClientId`
`799`		`- if len(p.Secret.Value) > 0 {`
	`799`	`+ if len(p.Secret.SHA256) > 0 {`
`800`	`800`	`body.ExternalZoomSecret = &p.Secret.Value`
`801`	`801`	`}`
`802`	`802`	`}`