🔒️ more secure token generation

2026-02-04 04:30:05 +00:00 · 2022-12-16 23:34:14 +08:00
parent c027ae1396
commit 8ae885874b
10 changed files with 65 additions and 58 deletions
--- a/cmd/dashboard/controller/member_api.go
+++ b/cmd/dashboard/controller/member_api.go
@@ -100,9 +100,17 @@ func (ma *memberAPI) issueNewToken(c *gin.Context) {
 		})
 		return
 	}
+	secureToken, err := utils.GenerateRandomString(32)
+	if err != nil {
+		c.JSON(http.StatusOK, model.Response{
+			Code:    http.StatusBadRequest,
+			Message: fmt.Sprintf("请求错误：%s", err),
+		})
+		return
+	}
 	token := &model.ApiToken{
 		UserID: u.ID,
-		Token:  utils.MD5(fmt.Sprintf("%d%d%s", time.Now().UnixNano(), u.ID, u.Login)),
+		Token:  secureToken,
 		Note:   tf.Note,
 	}
 	singleton.DB.Create(token)
@@ -310,7 +318,6 @@ type serverForm struct {
 }

 func (ma *memberAPI) addOrEditServer(c *gin.Context) {
-	admin := c.MustGet(model.CtxKeyAuthorizedUser).(*model.User)
 	var sf serverForm
 	var s model.Server
 	var isEdit bool
@@ -324,9 +331,10 @@ func (ma *memberAPI) addOrEditServer(c *gin.Context) {
 		s.Note = sf.Note
 		s.HideForGuest = sf.HideForGuest == "on"
 		if s.ID == 0 {
-			s.Secret = utils.MD5(fmt.Sprintf("%s%s%d", time.Now(), sf.Name, admin.ID))
-			s.Secret = s.Secret[:18]
-			err = singleton.DB.Create(&s).Error
+			s.Secret, err = utils.GenerateRandomString(18)
+			if err == nil {
+				err = singleton.DB.Create(&s).Error
+			}
 		} else {
 			isEdit = true
 			err = singleton.DB.Save(&s).Error
--- a/cmd/dashboard/controller/oauth2.go
+++ b/cmd/dashboard/controller/oauth2.go
@@ -7,6 +7,7 @@ import (
 	"net/http"
 	"net/url"
 	"strings"
+	"time"

 	"code.gitea.io/sdk/gitea"
 	"github.com/gin-gonic/gin"
@@ -92,7 +93,15 @@ func (oa *oauth2controller) getRedirectURL(c *gin.Context) string {
 }

 func (oa *oauth2controller) login(c *gin.Context) {
-	randomString := utils.RandStringBytesMaskImprSrcUnsafe(32)
+	randomString, err := utils.GenerateRandomString(32)
+	if err != nil {
+		mygin.ShowErrorPage(c, mygin.ErrInfo{
+			Code:  http.StatusBadRequest,
+			Title: "Something Wrong",
+			Msg:   err.Error(),
+		}, true)
+		return
+	}
 	state, stateKey := randomString[:16], randomString[16:]
 	singleton.Cache.Set(fmt.Sprintf("%s%s", model.CacheKeyOauth2State, stateKey), state, cache.DefaultExpiration)
 	url := oa.getCommonOauth2Config(c).AuthCodeURL(state, oauth2.AccessTypeOnline)
@@ -195,7 +204,16 @@ func (oa *oauth2controller) callback(c *gin.Context) {
 		}, true)
 		return
 	}
-	user.IssueNewToken()
+	user.Token, err = utils.GenerateRandomString(32)
+	if err != nil {
+		mygin.ShowErrorPage(c, mygin.ErrInfo{
+			Code:  http.StatusBadRequest,
+			Title: "Something wrong",
+			Msg:   err.Error(),
+		}, true)
+		return
+	}
+	user.TokenExpired = time.Now().AddDate(0, 2, 0)
 	singleton.DB.Save(&user)
 	c.SetCookie(singleton.Conf.Site.CookieName, user.Token, 60*60*24, "", "", false, false)
 	c.HTML(http.StatusOK, "dashboard-"+singleton.Conf.Site.DashboardTheme+"/redirect", mygin.CommonEnvironment(c, gin.H{