diff options
| author | KN4CK3R <admin@oldschoolhack.me> | 2023-10-14 02:56:41 +0200 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2023-10-14 00:56:41 +0000 |
| commit | c6c829fe3fde5d55b2115eb006b427288e381158 (patch) | |
| tree | d2429a0bfd72836375262137e0709995889c6924 /models | |
| parent | ee6a390675638b9c0f587d861e7063b9e633540a (diff) | |
| download | gitea-c6c829fe3fde5d55b2115eb006b427288e381158.tar.gz gitea-c6c829fe3fde5d55b2115eb006b427288e381158.zip | |
Enhanced auth token / remember me (#27606)
Closes #27455
> The mechanism responsible for long-term authentication (the 'remember
me' cookie) uses a weak construction technique. It will hash the user's
hashed password and the rands value; it will then call the secure cookie
code, which will encrypt the user's name with the computed hash. If one
were able to dump the database, they could extract those two values to
rebuild that cookie and impersonate a user. That vulnerability exists
from the date the dump was obtained until a user changed their password.
>
> To fix this security issue, the cookie could be created and verified
using a different technique such as the one explained at
https://paragonie.com/blog/2015/04/secure-authentication-php-with-long-term-persistence#secure-remember-me-cookies.
The PR removes the now obsolete setting `COOKIE_USERNAME`.
Diffstat (limited to 'models')
| -rw-r--r-- | models/auth/access_token.go (renamed from models/auth/token.go) | 0 | ||||
| -rw-r--r-- | models/auth/access_token_scope.go (renamed from models/auth/token_scope.go) | 0 | ||||
| -rw-r--r-- | models/auth/access_token_scope_test.go (renamed from models/auth/token_scope_test.go) | 0 | ||||
| -rw-r--r-- | models/auth/access_token_test.go (renamed from models/auth/token_test.go) | 0 | ||||
| -rw-r--r-- | models/auth/auth_token.go | 60 | ||||
| -rw-r--r-- | models/migrations/migrations.go | 2 | ||||
| -rw-r--r-- | models/migrations/v1_22/v281.go | 21 |
7 files changed, 83 insertions, 0 deletions
diff --git a/models/auth/token.go b/models/auth/access_token.go index 8abcc622bc..8abcc622bc 100644 --- a/models/auth/token.go +++ b/models/auth/access_token.go diff --git a/models/auth/token_scope.go b/models/auth/access_token_scope.go index fe57276700..fe57276700 100644 --- a/models/auth/token_scope.go +++ b/models/auth/access_token_scope.go diff --git a/models/auth/token_scope_test.go b/models/auth/access_token_scope_test.go index a6097e45d7..a6097e45d7 100644 --- a/models/auth/token_scope_test.go +++ b/models/auth/access_token_scope_test.go diff --git a/models/auth/token_test.go b/models/auth/access_token_test.go index 72c937ffd6..72c937ffd6 100644 --- a/models/auth/token_test.go +++ b/models/auth/access_token_test.go diff --git a/models/auth/auth_token.go b/models/auth/auth_token.go new file mode 100644 index 0000000000..65f1b169eb --- /dev/null +++ b/models/auth/auth_token.go @@ -0,0 +1,60 @@ +// Copyright 2023 The Gitea Authors. All rights reserved. +// SPDX-License-Identifier: MIT + +package auth + +import ( + "context" + + "code.gitea.io/gitea/models/db" + "code.gitea.io/gitea/modules/timeutil" + "code.gitea.io/gitea/modules/util" + + "xorm.io/builder" +) + +var ErrAuthTokenNotExist = util.NewNotExistErrorf("auth token does not exist") + +type AuthToken struct { //nolint:revive + ID string `xorm:"pk"` + TokenHash string + UserID int64 `xorm:"INDEX"` + ExpiresUnix timeutil.TimeStamp `xorm:"INDEX"` +} + +func init() { + db.RegisterModel(new(AuthToken)) +} + +func InsertAuthToken(ctx context.Context, t *AuthToken) error { + _, err := db.GetEngine(ctx).Insert(t) + return err +} + +func GetAuthTokenByID(ctx context.Context, id string) (*AuthToken, error) { + at := &AuthToken{} + + has, err := db.GetEngine(ctx).ID(id).Get(at) + if err != nil { + return nil, err + } + if !has { + return nil, ErrAuthTokenNotExist + } + return at, nil +} + +func UpdateAuthTokenByID(ctx context.Context, t *AuthToken) error { + _, err := db.GetEngine(ctx).ID(t.ID).Cols("token_hash", "expires_unix").Update(t) + return err +} + +func DeleteAuthTokenByID(ctx context.Context, id string) error { + _, err := db.GetEngine(ctx).ID(id).Delete(&AuthToken{}) + return err +} + +func DeleteExpiredAuthTokens(ctx context.Context) error { + _, err := db.GetEngine(ctx).Where(builder.Lt{"expires_unix": timeutil.TimeStampNow()}).Delete(&AuthToken{}) + return err +} diff --git a/models/migrations/migrations.go b/models/migrations/migrations.go index a8037fa67e..4a06cdc73a 100644 --- a/models/migrations/migrations.go +++ b/models/migrations/migrations.go @@ -546,6 +546,8 @@ var migrations = []Migration{ // v280 -> v281 NewMigration("Rename user themes", v1_22.RenameUserThemes), + // v281 -> v282 + NewMigration("Add auth_token table", v1_22.CreateAuthTokenTable), } // GetCurrentDBVersion returns the current db version diff --git a/models/migrations/v1_22/v281.go b/models/migrations/v1_22/v281.go new file mode 100644 index 0000000000..fc1866aa83 --- /dev/null +++ b/models/migrations/v1_22/v281.go @@ -0,0 +1,21 @@ +// Copyright 2023 The Gitea Authors. All rights reserved. +// SPDX-License-Identifier: MIT + +package v1_22 //nolint + +import ( + "code.gitea.io/gitea/modules/timeutil" + + "xorm.io/xorm" +) + +func CreateAuthTokenTable(x *xorm.Engine) error { + type AuthToken struct { + ID string `xorm:"pk"` + TokenHash string + UserID int64 `xorm:"INDEX"` + ExpiresUnix timeutil.TimeStamp `xorm:"INDEX"` + } + + return x.Sync(new(AuthToken)) +} |