Hash shared secret before checking validity of IRS Attempts API token

[mitchellhenke]

🛠 Summary of changes

This is generally not how one uses scrypt hashing, but we do not store the hashed version currently (though we may in the future and this puts the pieces in place).

[zachmargolis]

this line is giving me bad vibes, I am really worried about the portability of secrets referencing each other during initialization like this. How would you feel about just hardcoding our production config cost here, since it's not likely to change anytime soon?

[mitchellhenke]

The pain point is testing and local development where it'd hash the production value on startup every time. Maybe there's a different place to hold it.

[mitchellhenke]

Agreed on the bad vibes though

[zachmargolis]

re: testing where it hashes the prod value on startup each time, I think that was why in my commit I redid re-stubbed the config value with a known new plaintext in the controller spec

[zachmargolis]

this keep the original unhashed value in memory, right? I see that we're using it in specs, but I feel like the point of this PR was to remove that?

[zachmargolis]

they all have the same cost/salt right? so we could scrypt the incoming value once?

Maybe inside the processing block, we reorganize the secret value so it's more like a dictionary? or even a struct?

{
  cost: cost,
  salt: salt,
  hashed_tokens: ['a', 'b', 'c']
}

[mitchellhenke]

yep, that makes sense.

[zachmargolis]

LGTM

[zachmargolis]

I think we can back out this change now that we're no longer using it