Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Hash App token #6724

Merged
merged 34 commits into from
May 4, 2019
Merged

Hash App token #6724

merged 34 commits into from
May 4, 2019

Conversation

techknowlogick
Copy link
Member

@techknowlogick techknowlogick commented Apr 23, 2019
edited
Loading

Fix #3789

@techknowlogick techknowlogick added type/enhancement An improvement of existing functionality pr/breaking Merging this PR means builds will break. Needs a description what exactly breaks, and how to fix it! labels Apr 23, 2019
@techknowlogick techknowlogick added this to the 1.9.0 milestone Apr 23, 2019
@jonasfranz
Copy link
Member

jonasfranz commented Apr 23, 2019
edited
Loading

What do you think about using bcyrpt with salt?

@GiteaBot GiteaBot added the lgtm/need 2 This PR needs two approvals by maintainers to be considered for merging. label Apr 23, 2019
@techknowlogick
Copy link
Member Author

@jonasfranz

I thought about that, but Gitea needs to search for token in DB, and if it is hashed with a salt, then Gitea would have to loop through all keys that exist in system and compute which one is the match. It could be simplified if the token_last_eight was used as a part of the SQL select, but I went with less resource intensive operation, and less impactful code change.

Typing this out now, has made me consider this even more, and good news is that it wouldn't require another PR to go-sdk. So I think I will make the change. Thanks for prompting me to re-consider.

@tamalsaha
Copy link
Contributor

@techknowlogick , I left a comment #3789 (comment)

@techknowlogick techknowlogick changed the title WIP: Hash App token Hash App token Apr 23, 2019
@techknowlogick
Copy link
Member Author

Ready for review

@codecov-io
Copy link

codecov-io commented Apr 23, 2019
edited
Loading

Codecov Report

Merging #6724 into master will decrease coverage by 0.05%.
The diff coverage is 21.48%.

Impacted file tree graph

@@            Coverage Diff             @@
##           master    #6724      +/-   ##
==========================================
- Coverage   41.24%   41.19%   -0.06%     
==========================================
  Files         422      423       +1     
  Lines       58277    58394     +117     
==========================================
+ Hits        24037    24055      +18     
- Misses      31061    31161     +100     
+ Partials     3179     3178       -1
Impacted Files Coverage Δ
models/migrations/migrations.go 1.52% <ø> (ø) ⬆️
models/migrations/v85.go 0% <0%> (ø)
models/error.go 32.08% <0%> (ø) ⬆️
modules/base/tool.go 72.54% <100%> (+0.27%) ⬆️
routers/user/setting/applications.go 45.61% <100%> (ø) ⬆️
routers/api/v1/user/app.go 63.26% <50%> (ø) ⬆️
models/token.go 81.48% <80.76%> (-2.73%) ⬇️
models/unit.go 62.16% <0%> (-5.41%) ⬇️
models/repo_list.go 66.84% <0%> (-1.06%) ⬇️
... and 2 more

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 1fa9662...ed40913. Read the comment docs.

zeripath
zeripath approved these changes May 2, 2019
View reviewed changes
Copy link
Contributor

@zeripath zeripath left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think v85.go might need changes equivalent to #6823 (once we're sure that that is correct.)

@GiteaBot GiteaBot added lgtm/need 1 This PR needs approval from one additional maintainer to be merged. and removed lgtm/need 2 This PR needs two approvals by maintainers to be considered for merging. labels May 2, 2019
@techknowlogick techknowlogick added the status/blocked This PR cannot be merged yet, i.e. because it depends on another unmerged PR label May 2, 2019
@techknowlogick
Copy link
Member Author

@zeripath ahah yeah. I’ve been keeping an eye on those changes and I’ve just set this to blocked so it will only get merged once the other PR does

@techknowlogick techknowlogick removed the status/blocked This PR cannot be merged yet, i.e. because it depends on another unmerged PR label May 3, 2019
@GiteaBot GiteaBot added lgtm/done This PR has enough approvals to get merged. There are no important open reservations anymore. and removed lgtm/need 1 This PR needs approval from one additional maintainer to be merged. labels May 4, 2019
@techknowlogick techknowlogick merged commit 46373e7 into go-gitea:master May 4, 2019
@techknowlogick techknowlogick deleted the fix-3789 branch May 4, 2019 15:45
@tboerger
Copy link
Member

Great that you introduce such a breaking change into a minor release, you just killed the current Drone authentication.

@lafriks
Copy link
Member

lafriks commented May 11, 2019

@tboerger it has been fixed already in #6903

@zeripath
Copy link
Contributor

@tboerger I think we've had a few of these problems lately - would it be possible to write an integration test for Gitea that would ensure that we don't kill drone authentication by mistake.

@go-gitea go-gitea locked and limited conversation to collaborators Nov 24, 2020
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@adelowo adelowo adelowo approved these changes

@zeripath zeripath zeripath approved these changes

Assignees
No one assigned
Labels
lgtm/done This PR has enough approvals to get merged. There are no important open reservations anymore. pr/breaking Merging this PR means builds will break. Needs a description what exactly breaks, and how to fix it! type/enhancement An improvement of existing functionality
Projects
None yet
Milestone
1.9.0
Development

Successfully merging this pull request may close these issues.

Application Personal Access Tokens are stored as plaintext in the database. Easy fix maybe.
10 participants
@techknowlogick @jonasfranz @tamalsaha @codecov-io @tboerger @lafriks @zeripath @adelowo @GiteaBot @lunny