From f047ee0a40b50ab51e10ddcc57040ffa127d9e21 Mon Sep 17 00:00:00 2001 From: Jason Song Date: Mon, 28 Nov 2022 23:37:42 +0800 Subject: [PATCH] Use random bytes to generate access token (#21959) --- models/auth/token.go | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/models/auth/token.go b/models/auth/token.go index 763174f08f..0dfcb7629b 100644 --- a/models/auth/token.go +++ b/models/auth/token.go @@ -6,16 +6,15 @@ package auth import ( "crypto/subtle" + "encoding/hex" "fmt" "time" "code.gitea.io/gitea/models/db" - "code.gitea.io/gitea/modules/base" "code.gitea.io/gitea/modules/setting" "code.gitea.io/gitea/modules/timeutil" "code.gitea.io/gitea/modules/util" - gouuid "github.com/google/uuid" lru "github.com/hashicorp/golang-lru" ) @@ -100,8 +99,12 @@ func NewAccessToken(t *AccessToken) error { if err != nil { return err } + token, err := util.CryptoRandomBytes(20) + if err != nil { + return err + } t.TokenSalt = salt - t.Token = base.EncodeSha1(gouuid.New().String()) + t.Token = hex.EncodeToString(token) t.TokenHash = HashToken(t.Token, t.TokenSalt) t.TokenLastEight = t.Token[len(t.Token)-8:] _, err = db.GetEngine(db.DefaultContext).Insert(t)