[CRE-1848] Don't output hashed passwords.

[pavel-raykov]

No description provided.

[github-actions]

I see you updated files related to core. Please run make gocs in the root directory to add a changeset as well as in the text include at least one of the following tags:

• #added For any new functionality added.
• #breaking_change For any functionality that requires manual action for the node to boot.
• #bugfix For bug fixes.
• #changed For any change to the existing functionality.
• #db_update For any feature that introduces updates to database schema.
• #deprecation_notice For any upcoming deprecation functionality.
• #internal For changesets that need to be excluded from the final changelog.
• #nops For any feature that is NOP facing and needs to be in the official Release Notes for the release.
• #removed For any functionality/config that is removed.
• #updated For any functionality that is updated.
• #wip For any change that is not ready yet and external communication about it should be held off till it is feature complete.

[github-actions]

✅ No conflicts with other open PRs targeting develop

[trunk-io]

     

View Full Report ↗︎ ⋅ Docs

[Copilot]

Pull request overview

Risk Rating: MEDIUM (touches authentication/user credential handling paths)

This PR updates the sessions.User model so hashed passwords are stored as a redacted secret type, reducing the risk of leaking password hashes via serialization/logging, and updates call sites/tests accordingly.

Changes:

• Change sessions.User.HashedPassword from string to config.SecretString.
• Update password verification to unwrap SecretString when calling utils.CheckPasswordHash.
• Update tests/SQL inserts to account for the new SecretString type.

Reviewed changes

Copilot reviewed 9 out of 9 changed files in this pull request and generated 1 comment.

Show a summary per file

File	Description
core/web/user_controller.go	Unwrap SecretString when checking old password on password update.
core/web/resolver/mutation.go	Unwrap SecretString when checking old password in GraphQL mutation.
core/web/resolver/user_test.go	Update tests to set HashedPassword as SecretString (one case still needs updating).
core/web/resolver/api_token_test.go	Update tests to set HashedPassword as SecretString.
core/sessions/user.go	Change HashedPassword to config.SecretString and wrap on user creation.
core/sessions/oidcauth/oidc.go	Unwrap SecretString for local fallback password verification.
core/sessions/oidcauth/oidc_test.go	Ensure DB inserts use the underlying string value of SecretString.
core/sessions/localauth/orm.go	Unwrap SecretString when inserting a user row; unwrap for login password verification.
core/sessions/ldapauth/ldap.go	Unwrap SecretString for local fallback password verification.

Areas requiring scrupulous human review:

• All string(user.HashedPassword) usages in authentication flows (UpdatePassword, local login fallbacks) to ensure they only occur where the raw hash is strictly needed and cannot be logged/serialized accidentally.
• DB write paths that now pass string(user.HashedPassword) to SQL to ensure the stored value is the real hash (and not a redacted placeholder).

Suggested reviewers (per CODEOWNERS):

• @smartcontractkit/foundations, @smartcontractkit/core (root + /core/web/resolver ownership)

---

You can also share your feedback on Copilot code review. Take the survey.

[cl-sonarqube-production]

Quality Gate passed

Issues
0 New issues
0 Fixed issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube