Use random bytes to generate access token (#21959)

author: Jason Song <i@wolfogre.com> 2022-11-28 23:37:42 +0800
committer: GitHub <noreply@github.com> 2022-11-28 23:37:42 +0800
commit: f047ee0a40b50ab51e10ddcc57040ffa127d9e21 (patch)
tree: 5cccc1a9f3bff7f2887aaa85096fdea7b5f9a264 /models
parent: 9607750b5e9001ab379fa8deab0dadbb6219c66e (diff)
download: gitea-f047ee0a40b50ab51e10ddcc57040ffa127d9e21.tar.gz
gitea-f047ee0a40b50ab51e10ddcc57040ffa127d9e21.zip
1 files changed, 6 insertions, 3 deletions
diff --git a/models/auth/token.go b/models/auth/token.go
index 763174f08f..0dfcb7629b 100644
--- a/models/auth/token.go
+++ b/models/auth/token.go
@@ -6,16 +6,15 @@ package auth
 
 import (
 	"crypto/subtle"
+	"encoding/hex"
 	"fmt"
 	"time"
 
 	"code.gitea.io/gitea/models/db"
-	"code.gitea.io/gitea/modules/base"
 	"code.gitea.io/gitea/modules/setting"
 	"code.gitea.io/gitea/modules/timeutil"
 	"code.gitea.io/gitea/modules/util"
 
-	gouuid "github.com/google/uuid"
 	lru "github.com/hashicorp/golang-lru"
 )
 
@@ -100,8 +99,12 @@ func NewAccessToken(t *AccessToken) error {
 	if err != nil {
 		return err
 	}
+	token, err := util.CryptoRandomBytes(20)
+	if err != nil {
+		return err
+	}
 	t.TokenSalt = salt
-	t.Token = base.EncodeSha1(gouuid.New().String())
+	t.Token = hex.EncodeToString(token)
 	t.TokenHash = HashToken(t.Token, t.TokenSalt)
 	t.TokenLastEight = t.Token[len(t.Token)-8:]
 	_, err = db.GetEngine(db.DefaultContext).Insert(t)
author	Jason Song <i@wolfogre.com>	2022-11-28 23:37:42 +0800
committer	GitHub <noreply@github.com>	2022-11-28 23:37:42 +0800
commit	f047ee0a40b50ab51e10ddcc57040ffa127d9e21 (patch)
tree	5cccc1a9f3bff7f2887aaa85096fdea7b5f9a264 /models
parent	9607750b5e9001ab379fa8deab0dadbb6219c66e (diff)
download	gitea-f047ee0a40b50ab51e10ddcc57040ffa127d9e21.tar.gz gitea-f047ee0a40b50ab51e10ddcc57040ffa127d9e21.zip