diff --git a/integrations/api_oauth2_apps_test.go b/integrations/api_oauth2_apps_test.go index e51549568a6..2c08338b25b 100644 --- a/integrations/api_oauth2_apps_test.go +++ b/integrations/api_oauth2_apps_test.go @@ -43,7 +43,7 @@ func testAPICreateOAuth2Application(t *testing.T) { DecodeJSON(t, resp, &createdApp) assert.EqualValues(t, appBody.Name, createdApp.Name) - assert.Len(t, createdApp.ClientSecret, 44) + assert.Len(t, createdApp.ClientSecret, 56) assert.Len(t, createdApp.ClientID, 36) assert.NotEmpty(t, createdApp.Created) assert.EqualValues(t, appBody.RedirectURIs[0], createdApp.RedirectURIs[0]) diff --git a/models/auth/oauth2.go b/models/auth/oauth2.go index e7030fce289..2341e086202 100644 --- a/models/auth/oauth2.go +++ b/models/auth/oauth2.go @@ -6,13 +6,13 @@ package auth import ( "crypto/sha256" + "encoding/base32" "encoding/base64" "fmt" "net/url" "strings" "code.gitea.io/gitea/models/db" - "code.gitea.io/gitea/modules/secret" "code.gitea.io/gitea/modules/timeutil" "code.gitea.io/gitea/modules/util" @@ -57,12 +57,22 @@ func (app *OAuth2Application) ContainsRedirectURI(redirectURI string) bool { return util.IsStringInSlice(redirectURI, app.RedirectURIs, true) } +// Base32 characters, but lowercased. +const lowerBase32Chars = "abcdefghijklmnopqrstuvwxyz234567" + +// base32 encoder that uses lowered characters without padding. +var base32Lower = base32.NewEncoding(lowerBase32Chars).WithPadding(base32.NoPadding) + // GenerateClientSecret will generate the client secret and returns the plaintext and saves the hash at the database func (app *OAuth2Application) GenerateClientSecret() (string, error) { - clientSecret, err := secret.New() + rBytes, err := util.CryptoRandomBytes(32) if err != nil { return "", err } + // Add a prefix to the base32, this is in order to make it easier + // for code scanners to grab sensitive tokens. + clientSecret := "gto_" + base32Lower.EncodeToString(rBytes) + hashedSecret, err := bcrypt.GenerateFromPassword([]byte(clientSecret), bcrypt.DefaultCost) if err != nil { return "", err @@ -394,10 +404,14 @@ func (grant *OAuth2Grant) GenerateNewAuthorizationCode(redirectURI, codeChalleng } func (grant *OAuth2Grant) generateNewAuthorizationCode(e db.Engine, redirectURI, codeChallenge, codeChallengeMethod string) (code *OAuth2AuthorizationCode, err error) { - var codeSecret string - if codeSecret, err = secret.New(); err != nil { + rBytes, err := util.CryptoRandomBytes(32) + if err != nil { return &OAuth2AuthorizationCode{}, err } + // Add a prefix to the base32, this is in order to make it easier + // for code scanners to grab sensitive tokens. + codeSecret := "gta_" + base32Lower.EncodeToString(rBytes) + code = &OAuth2AuthorizationCode{ Grant: grant, GrantID: grant.ID, diff --git a/modules/secret/secret.go b/modules/secret/secret.go index 6b410f23819..e7edc7a95e5 100644 --- a/modules/secret/secret.go +++ b/modules/secret/secret.go @@ -13,20 +13,8 @@ import ( "encoding/hex" "errors" "io" - - "code.gitea.io/gitea/modules/util" ) -// New creates a new secret -func New() (string, error) { - return NewWithLength(44) -} - -// NewWithLength creates a new secret for a given length -func NewWithLength(length int64) (string, error) { - return util.CryptoRandomString(length) -} - // AesEncrypt encrypts text and given key with AES. func AesEncrypt(key, text []byte) ([]byte, error) { block, err := aes.NewCipher(key) diff --git a/modules/secret/secret_test.go b/modules/secret/secret_test.go index f3a88eecc82..b1c99d85136 100644 --- a/modules/secret/secret_test.go +++ b/modules/secret/secret_test.go @@ -10,17 +10,6 @@ import ( "github.com/stretchr/testify/assert" ) -func TestNew(t *testing.T) { - result, err := New() - assert.NoError(t, err) - assert.True(t, len(result) == 44) - - result2, err := New() - assert.NoError(t, err) - // check if secrets - assert.NotEqual(t, result, result2) -} - func TestEncryptDecrypt(t *testing.T) { var hex string var str string