* Use single shared random string generation function - Replace 3 functions that do the same with 1 shared one - Use crypto/rand over math/rand for a stronger RNG - Output only alphanumerical for URL compatibilty Fixes: #15536 * use const string method * Update modules/avatar/avatar.go Co-authored-by: a1012112796 <1012112796@qq.com> Co-authored-by: a1012112796 <1012112796@qq.com>
		
			
				
	
	
		
			88 lines
		
	
	
		
			2.1 KiB
		
	
	
	
		
			Go
		
	
	
	
	
	
			
		
		
	
	
			88 lines
		
	
	
		
			2.1 KiB
		
	
	
	
		
			Go
		
	
	
	
	
	
| // Copyright 2018 The Gitea Authors. All rights reserved.
 | |
| // Use of this source code is governed by a MIT-style
 | |
| // license that can be found in the LICENSE file.
 | |
| 
 | |
| package migrations
 | |
| 
 | |
| import (
 | |
| 	"crypto/sha256"
 | |
| 	"fmt"
 | |
| 
 | |
| 	"code.gitea.io/gitea/modules/timeutil"
 | |
| 	"code.gitea.io/gitea/modules/util"
 | |
| 
 | |
| 	"golang.org/x/crypto/pbkdf2"
 | |
| 	"xorm.io/xorm"
 | |
| )
 | |
| 
 | |
| func addScratchHash(x *xorm.Engine) error {
 | |
| 	// TwoFactor see models/twofactor.go
 | |
| 	type TwoFactor struct {
 | |
| 		ID               int64 `xorm:"pk autoincr"`
 | |
| 		UID              int64 `xorm:"UNIQUE"`
 | |
| 		Secret           string
 | |
| 		ScratchToken     string
 | |
| 		ScratchSalt      string
 | |
| 		ScratchHash      string
 | |
| 		LastUsedPasscode string             `xorm:"VARCHAR(10)"`
 | |
| 		CreatedUnix      timeutil.TimeStamp `xorm:"INDEX created"`
 | |
| 		UpdatedUnix      timeutil.TimeStamp `xorm:"INDEX updated"`
 | |
| 	}
 | |
| 
 | |
| 	if err := x.Sync2(new(TwoFactor)); err != nil {
 | |
| 		return fmt.Errorf("Sync2: %v", err)
 | |
| 	}
 | |
| 
 | |
| 	sess := x.NewSession()
 | |
| 	defer sess.Close()
 | |
| 
 | |
| 	if err := sess.Begin(); err != nil {
 | |
| 		return err
 | |
| 	}
 | |
| 
 | |
| 	// transform all tokens to hashes
 | |
| 	const batchSize = 100
 | |
| 	for start := 0; ; start += batchSize {
 | |
| 		tfas := make([]*TwoFactor, 0, batchSize)
 | |
| 		if err := sess.Limit(batchSize, start).Find(&tfas); err != nil {
 | |
| 			return err
 | |
| 		}
 | |
| 		if len(tfas) == 0 {
 | |
| 			break
 | |
| 		}
 | |
| 
 | |
| 		for _, tfa := range tfas {
 | |
| 			// generate salt
 | |
| 			salt, err := util.RandomString(10)
 | |
| 			if err != nil {
 | |
| 				return err
 | |
| 			}
 | |
| 			tfa.ScratchSalt = salt
 | |
| 			tfa.ScratchHash = hashToken(tfa.ScratchToken, salt)
 | |
| 
 | |
| 			if _, err := sess.ID(tfa.ID).Cols("scratch_salt, scratch_hash").Update(tfa); err != nil {
 | |
| 				return fmt.Errorf("couldn't add in scratch_hash and scratch_salt: %v", err)
 | |
| 			}
 | |
| 
 | |
| 		}
 | |
| 	}
 | |
| 
 | |
| 	// Commit and begin new transaction for dropping columns
 | |
| 	if err := sess.Commit(); err != nil {
 | |
| 		return err
 | |
| 	}
 | |
| 	if err := sess.Begin(); err != nil {
 | |
| 		return err
 | |
| 	}
 | |
| 
 | |
| 	if err := dropTableColumns(sess, "two_factor", "scratch_token"); err != nil {
 | |
| 		return err
 | |
| 	}
 | |
| 	return sess.Commit()
 | |
| }
 | |
| 
 | |
| func hashToken(token, salt string) string {
 | |
| 	tempHash := pbkdf2.Key([]byte(token), []byte(salt), 10000, 50, sha256.New)
 | |
| 	return fmt.Sprintf("%x", tempHash)
 | |
| }
 |