chore!: ensure consistent secret token generation and hashing (#20388)

This PR uses the same sha256 hashing technique as we use for APIKeys. So
now all randomly generated secrets will be hashed with sha256 for
consistency.

This is a breaking change for the oauth tokens. Since oauth is only
allowed for dev builds and experimental, this is ok.

coderd/provisionerkey/provisionerkey.go

@@ -1,15 +1,14 @@
 package provisionerkey
 
 import (
-	"crypto/sha256"
 	"crypto/subtle"
 
 	"github.com/google/uuid"
 	"golang.org/x/xerrors"
 
+	"github.com/coder/coder/v2/coderd/apikey"
 	"github.com/coder/coder/v2/coderd/database"
 	"github.com/coder/coder/v2/coderd/database/dbtime"
-	"github.com/coder/coder/v2/cryptorand"
 )
 
 const (
@@ -17,7 +16,7 @@ const (
 )
 
 func New(organizationID uuid.UUID, name string, tags map[string]string) (database.InsertProvisionerKeyParams, string, error) {
-	secret, err := cryptorand.String(secretLength)
+	secret, hashed, err := apikey.GenerateSecret(secretLength)
 	if err != nil {
 		return database.InsertProvisionerKeyParams{}, "", xerrors.Errorf("generate secret: %w", err)
 	}
@@ -31,7 +30,7 @@ func New(organizationID uuid.UUID, name string, tags map[string]string) (databas
 		CreatedAt:      dbtime.Now(),
 		OrganizationID: organizationID,
 		Name:           name,
-		HashedSecret:   HashSecret(secret),
+		HashedSecret:   hashed,
 		Tags:           tags,
 	}, secret, nil
 }
@@ -45,8 +44,7 @@ func Validate(token string) error {
 }
 
 func HashSecret(secret string) []byte {
-	h := sha256.Sum256([]byte(secret))
-	return h[:]
+	return apikey.HashSecret(secret)
 }
 
 func Compare(a []byte, b []byte) bool {