Verifies the integrety of the projects, as builds are executed immediately after a code change was detected. This plan provides no artifiacts (use a nightly build instead).
OF-3258 (code review): Guard against misbehaving AuthProviders
When an AuthProvider cannot return a password, it should throw one of the exceptions defined in the contract, rather than return a null password.
This change guards against misbehaving providers that return null, by interpreting null in the same way as a non-existent user and/or missing support for password retrieval.
OF-3258 (code review): Fake salts should be similar in size to real ones
The usage of fake salts is to avoid attackers to determine if a username exists. For this to work, the salts need to be indistinguishable from real ones. Using the same size for both helps.
OF-3257/OF-3258 (code review): Fix description of SERVER_SECRET_NONEXISTING_USERS
The documentation for SERVER_SECRET_NONEXISTING_USERS incorrectly stated that the value is used for salt derivation only. In practice, this secret is used more broadly to derive deterministic, fake SCRAM credentials for non-existing users, including stored keys and server keys (and where applicable salt values).
Update the Javadoc and i18n labels to accurately reflect this behavior.Additionally, document the effect of changing (rotating) this value.
OF-3257/OF-3258 (code review): Guard against empty values for server secret constant
Having an empty value for the server secret value is unlikely to happen, but should be replaced. This is an easy hardening with no downside.
OF-3257/OF-3258: Improve one-time initialization of SERVER_SECRET_NONEXISTENT_USERS
The previous method for one-time initialization of the SERVER_SECRET_NONEXISTENT_USERS property (which depended on a static initializer block) proved to be fragile.
In this commit, initialization happens in a getter that should be used instead of directly accessing the property.
