From 47b653fd649eea2abcbd7ee4b4f2dcc7135abc8d Mon Sep 17 00:00:00 2001
From: Damodar Lohani <lohanidamodar@users.noreply.github.com>
Date: Mon, 10 Nov 2025 11:38:47 +0000
Subject: [PATCH] Use correct hashing algorithm for oauth2 token

---
 app/controllers/api/account.php                 | 7 ++++---
 src/Appwrite/Utopia/Database/Documents/User.php | 2 +-
 2 files changed, 5 insertions(+), 4 deletions(-)

diff --git a/app/controllers/api/account.php b/app/controllers/api/account.php
index f6c0039571..c4657a5e4d 100644
--- a/app/controllers/api/account.php
+++ b/app/controllers/api/account.php
@@ -1764,16 +1764,17 @@ App::get('/v1/account/sessions/oauth2/:provider/redirect')
         $duration = $project->getAttribute('auths', [])['duration'] ?? TOKEN_EXPIRATION_LOGIN_LONG;
         $expire = DateTime::formatTz(DateTime::addSeconds(new \DateTime(), $duration));
 
-        $proofsForTokenOAuth2 = new ProofsToken(TOKEN_LENGTH_OAUTH2);
+        $proofForTokenOAuth2 = new ProofsToken(TOKEN_LENGTH_OAUTH2);
+        $proofForTokenOAuth2->setHash(new Sha());
         // If the `token` param is set, we will return the token in the query string
         if ($state['token']) {
-            $secret = $proofsForTokenOAuth2->generate();
+            $secret = $proofForTokenOAuth2->generate();
             $token = new Document([
                 '$id' => ID::unique(),
                 'userId' => $user->getId(),
                 'userInternalId' => $user->getSequence(),
                 'type' => TOKEN_TYPE_OAUTH2,
-                'secret' => $proofsForTokenOAuth2->hash($secret), // One way hash encryption to protect DB leak
+                'secret' => $proofForTokenOAuth2->hash($secret), // One way hash encryption to protect DB leak
                 'expire' => $expire,
                 'userAgent' => $request->getUserAgent('UNKNOWN'),
                 'ip' => $request->getIP(),
diff --git a/src/Appwrite/Utopia/Database/Documents/User.php b/src/Appwrite/Utopia/Database/Documents/User.php
index 994c099a40..44ff27c44c 100644
--- a/src/Appwrite/Utopia/Database/Documents/User.php
+++ b/src/Appwrite/Utopia/Database/Documents/User.php
@@ -141,7 +141,7 @@ class User extends Document
                 $token->isSet('expire') &&
                 $token->isSet('type') &&
                 ($type === null ||  $token->getAttribute('type') === $type) &&
-                $proofForToken->verify($proofForToken->hash($secret), $token->getAttribute('secret')) &&
+                $proofForToken->verify($secret, $token->getAttribute('secret')) &&
                 DateTime::formatTz($token->getAttribute('expire')) >= DateTime::formatTz(DateTime::now())
             ) {
                 return $token;