fix(server): add old secret check for admin secret update

server/resolvers/update_env.go

@@ -3,6 +3,7 @@ package resolvers
 import (
 	"context"
 	"encoding/json"
+	"errors"
 	"fmt"
 	"log"
 	"reflect"
@@ -12,6 +13,7 @@ import (
 	"github.com/authorizerdev/authorizer/server/envstore"
 	"github.com/authorizerdev/authorizer/server/graph/model"
 	"github.com/authorizerdev/authorizer/server/utils"
+	"golang.org/x/crypto/bcrypt"
 )
 
 // UpdateEnvResolver is a resolver for update config mutation
@@ -89,6 +91,15 @@ func UpdateEnvResolver(ctx context.Context, params model.UpdateEnvInput) (*model
 
 	// in case of admin secret change update the cookie with new hash
 	if params.AdminSecret != nil {
+		if params.OldAdminSecret == nil {
+			return res, errors.New("admin secret and old admin secret are required for secret change")
+		}
+
+		err := bcrypt.CompareHashAndPassword([]byte(*params.OldAdminSecret), []byte(envstore.EnvInMemoryStoreObj.GetEnvVariable(constants.EnvKeyAdminSecret).(string)))
+		if err != nil {
+			return res, errors.New("old admin secret is not correct")
+		}
+
 		hashedKey, err := utils.EncryptPassword(envstore.EnvInMemoryStoreObj.GetEnvVariable(constants.EnvKeyAdminSecret).(string))
 		if err != nil {
 			return res, err