Use random bytes to generate access token (#21959)

This commit is contained in:
Jason Song 2022-11-28 23:37:42 +08:00 committed by GitHub
parent 9607750b5e
commit f047ee0a40
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23

View file

@ -6,16 +6,15 @@ package auth
import ( import (
"crypto/subtle" "crypto/subtle"
"encoding/hex"
"fmt" "fmt"
"time" "time"
"code.gitea.io/gitea/models/db" "code.gitea.io/gitea/models/db"
"code.gitea.io/gitea/modules/base"
"code.gitea.io/gitea/modules/setting" "code.gitea.io/gitea/modules/setting"
"code.gitea.io/gitea/modules/timeutil" "code.gitea.io/gitea/modules/timeutil"
"code.gitea.io/gitea/modules/util" "code.gitea.io/gitea/modules/util"
gouuid "github.com/google/uuid"
lru "github.com/hashicorp/golang-lru" lru "github.com/hashicorp/golang-lru"
) )
@ -100,8 +99,12 @@ func NewAccessToken(t *AccessToken) error {
if err != nil { if err != nil {
return err return err
} }
token, err := util.CryptoRandomBytes(20)
if err != nil {
return err
}
t.TokenSalt = salt t.TokenSalt = salt
t.Token = base.EncodeSha1(gouuid.New().String()) t.Token = hex.EncodeToString(token)
t.TokenHash = HashToken(t.Token, t.TokenSalt) t.TokenHash = HashToken(t.Token, t.TokenSalt)
t.TokenLastEight = t.Token[len(t.Token)-8:] t.TokenLastEight = t.Token[len(t.Token)-8:]
_, err = db.GetEngine(db.DefaultContext).Insert(t) _, err = db.GetEngine(db.DefaultContext).Insert(t)