aboutsummaryrefslogtreecommitdiffstats
path: root/models/auth
diff options
context:
space:
mode:
authorwxiaoguang <wxiaoguang@gmail.com>2022-01-26 12:10:10 +0800
committerGitHub <noreply@github.com>2022-01-26 12:10:10 +0800
commit49dd9067535538771ef13623ed1dd9698a4a2151 (patch)
tree7a06ff053683e50d93ad50ce25585a13d54c41e5 /models/auth
parent4889ab52de0b390bb6e96ad6a64ee082585b3d79 (diff)
downloadgitea-49dd9067535538771ef13623ed1dd9698a4a2151.tar.gz
gitea-49dd9067535538771ef13623ed1dd9698a4a2151.zip
Use base32 for 2FA scratch token (#18384)
* Use base32 for 2FA scratch token * rename Secure* to Crypto*, add comments
Diffstat (limited to 'models/auth')
-rw-r--r--models/auth/twofactor.go8
1 files changed, 6 insertions, 2 deletions
diff --git a/models/auth/twofactor.go b/models/auth/twofactor.go
index 883e6ce01c..c5bd972f91 100644
--- a/models/auth/twofactor.go
+++ b/models/auth/twofactor.go
@@ -8,6 +8,7 @@ import (
"crypto/md5"
"crypto/sha256"
"crypto/subtle"
+ "encoding/base32"
"encoding/base64"
"fmt"
@@ -58,11 +59,14 @@ func init() {
// GenerateScratchToken recreates the scratch token the user is using.
func (t *TwoFactor) GenerateScratchToken() (string, error) {
- token, err := util.RandomString(8)
+ tokenBytes, err := util.CryptoRandomBytes(6)
if err != nil {
return "", err
}
- t.ScratchSalt, _ = util.RandomString(10)
+ // these chars are specially chosen, avoid ambiguous chars like `0`, `O`, `1`, `I`.
+ const base32Chars = "ABCDEFGHJKLMNPQRSTUVWXYZ23456789"
+ token := base32.NewEncoding(base32Chars).WithPadding(base32.NoPadding).EncodeToString(tokenBytes)
+ t.ScratchSalt, _ = util.CryptoRandomString(10)
t.ScratchHash = HashToken(token, t.ScratchSalt)
return token, nil
}