Port "Use general token signing secret"

Port of https://github.com/go-gitea/gitea/pull/29205 Use a clearly defined "signing secret" for token signing. (cherry picked from commit 8be198cdef0a486f417663b1fd6878458d7e5d92)
2025-05-25 11:22:16 +00:00 · 2024-02-19 01:39:04 +08:00 · 2024-02-19 01:39:04 +08:00 · 62d3e5255f
commit 62d3e5255f
parent cfd6420a0e
13 changed files with 131 additions and 61 deletions
--- a/modules/generate/generate.go
+++ b/modules/generate/generate.go
@ -7,6 +7,7 @@ package generate
 import (
 	"crypto/rand"
 	"encoding/base64"
+	"fmt"
 	"io"
 	"time"

@ -38,6 +39,20 @@ func NewInternalToken() (string, error) {
 	return internalToken, nil
 }

+const defaultJwtSecretLen = 32
+
+// DecodeJwtSecret decodes a base64 encoded jwt secret into bytes, and check its length
+func DecodeJwtSecret(src string) ([]byte, error) {
+	encoding := base64.RawURLEncoding
+	decoded := make([]byte, encoding.DecodedLen(len(src))+3)
+	if n, err := encoding.Decode(decoded, []byte(src)); err != nil {
+		return nil, err
+	} else if n != defaultJwtSecretLen {
+		return nil, fmt.Errorf("invalid base64 decoded length: %d, expects: %d", n, defaultJwtSecretLen)
+	}
+	return decoded[:defaultJwtSecretLen], nil
+}
+
 // NewJwtSecret generates a new base64 encoded value intended to be used for JWT secrets.
 func NewJwtSecret() ([]byte, string, error) {
 	bytes := make([]byte, 32)
--- a/modules/generate/generate_test.go
+++ b/modules/generate/generate_test.go
@ -0,0 +1,34 @@
+// Copyright 2024 The Gitea Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
+package generate
+
+import (
+	"encoding/base64"
+	"strings"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+)
+
+func TestDecodeJwtSecret(t *testing.T) {
+	_, err := DecodeJwtSecret("abcd")
+	assert.ErrorContains(t, err, "invalid base64 decoded length")
+	_, err = DecodeJwtSecret(strings.Repeat("a", 64))
+	assert.ErrorContains(t, err, "invalid base64 decoded length")
+
+	str32 := strings.Repeat("x", 32)
+	encoded32 := base64.RawURLEncoding.EncodeToString([]byte(str32))
+	decoded32, err := DecodeJwtSecret(encoded32)
+	assert.NoError(t, err)
+	assert.Equal(t, str32, string(decoded32))
+}
+
+func TestNewJwtSecret(t *testing.T) {
+	secret, encoded, err := NewJwtSecret()
+	assert.NoError(t, err)
+	assert.Len(t, secret, 32)
+	decoded, err := DecodeJwtSecret(encoded)
+	assert.NoError(t, err)
+	assert.Equal(t, secret, decoded)
+}