fix: issue where client receives already hashed client_secret

oauth_dcr/views.py

@@ -87,12 +87,15 @@ def post(self, request):
 
             # Create the application
             try:
-                application = self._create_application(processed_metadata)
+                application, client_secret = self._create_application(processed_metadata)
             except Exception as e:
                 logger.exception(f"Failed to create application: {e}")
                 return self._error_response("server_error",
                                             "Failed to register client", 500)
 
+            # Restore the unhashed client secret for response
+            application.client_secret = client_secret
+
             # Return client information response
             return self._success_response(application, processed_metadata["token_endpoint_auth_method"])
 
@@ -228,15 +231,21 @@ def _validate_client_metadata(self, metadata):
 
     def _create_application(self, metadata):
         """Create Application instance from validated metadata"""
-        application = Application.objects.create(
+        application = Application(
             name=metadata.get("name", ""),
             client_type=metadata["client_type"],
             authorization_grant_type=metadata["authorization_grant_type"],
             redirect_uris=metadata.get("redirect_uris", ""),
             # client_id and client_secret are auto-generated
         )
 
-        return application
+        # Store unhashed client_secret for response
+        client_secret = application.client_secret
+
+        # client_secret is hashed automatically on save
+        application.save()
+
+        return application, client_secret
 
     def _success_response(self, application, token_endpoint_auth_method):
         """Generate successful registration response"""