Use base32 for 2FA scratch token (#18384)

* Use base32 for 2FA scratch token * rename Secure* to Crypto*, add comments
2022-01-26 12:10:10 +08:00 · 2022-01-26 12:10:10 +08:00 · 49dd906753
commit 49dd906753
parent 4889ab52de
11 changed files with 41 additions and 37 deletions
--- a/models/auth/twofactor.go
+++ b/models/auth/twofactor.go
@ -8,6 +8,7 @@ import (
 	"crypto/md5"
 	"crypto/sha256"
 	"crypto/subtle"
+	"encoding/base32"
 	"encoding/base64"
 	"fmt"

@ -58,11 +59,14 @@ func init() {

 // GenerateScratchToken recreates the scratch token the user is using.
 func (t *TwoFactor) GenerateScratchToken() (string, error) {
-	token, err := util.RandomString(8)
+	tokenBytes, err := util.CryptoRandomBytes(6)
 	if err != nil {
 		return "", err
 	}
-	t.ScratchSalt, _ = util.RandomString(10)
+	// these chars are specially chosen, avoid ambiguous chars like `0`, `O`, `1`, `I`.
+	const base32Chars = "ABCDEFGHJKLMNPQRSTUVWXYZ23456789"
+	token := base32.NewEncoding(base32Chars).WithPadding(base32.NoPadding).EncodeToString(tokenBytes)
+	t.ScratchSalt, _ = util.CryptoRandomString(10)
 	t.ScratchHash = HashToken(token, t.ScratchSalt)
 	return token, nil
 }
--- a/models/migrations/v71.go
+++ b/models/migrations/v71.go
@ -53,7 +53,7 @@ func addScratchHash(x *xorm.Engine) error {

 		for _, tfa := range tfas {
 			// generate salt
-			salt, err := util.RandomString(10)
+			salt, err := util.CryptoRandomString(10)
 			if err != nil {
 				return err
 			}
--- a/models/migrations/v85.go
+++ b/models/migrations/v85.go
@ -65,7 +65,7 @@ func hashAppToken(x *xorm.Engine) error {

 		for _, token := range tokens {
 			// generate salt
-			salt, err := util.RandomString(10)
+			salt, err := util.CryptoRandomString(10)
 			if err != nil {
 				return err
 			}
--- a/models/token.go
+++ b/models/token.go
@ -62,7 +62,7 @@ func init() {

 // NewAccessToken creates new access token.
 func NewAccessToken(t *AccessToken) error {
-	salt, err := util.RandomString(10)
+	salt, err := util.CryptoRandomString(10)
 	if err != nil {
 		return err
 	}
--- a/models/user/user.go
+++ b/models/user/user.go
@ -533,7 +533,7 @@ const SaltByteLength = 16

 // GetUserSalt returns a random user salt token.
 func GetUserSalt() (string, error) {
-	rBytes, err := util.RandomBytes(SaltByteLength)
+	rBytes, err := util.CryptoRandomBytes(SaltByteLength)
 	if err != nil {
 		return "", err
 	}