Skip to content

[Refactor] Passwort Hash/Set #14282

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 9 commits into from
Jan 10, 2021
Merged

[Refactor] Passwort Hash/Set #14282

merged 9 commits into from
Jan 10, 2021

Conversation

6543
Copy link
Member

@6543 6543 commented Jan 7, 2021
edited
Loading

  • Rename HashPassword() to SetPassword
  • Generate new Salt on password set
  • Drop Passwords witch are Valid with "" string and use empty passwd field for IsPasswordSet() func

@6543 6543 added topic/security Something leaks user information or is otherwise vulnerable. Should be fixed! type/refactoring Existing code has been cleaned up. There should be no new functionality. labels Jan 7, 2021
@6543 6543 added this to the 1.14.0 milestone Jan 7, 2021
@6543 6543 changed the title WIP: Refactor HashPasswort [Refactor] Passwort Check func Jan 7, 2021
@6543 6543 marked this pull request as ready for review January 7, 2021 23:51
zeripath
zeripath suggested changes Jan 9, 2021
View reviewed changes
Copy link
Contributor

@zeripath zeripath left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This doesn't appear to

@GiteaBot GiteaBot added the lgtm/need 2 This PR needs two approvals by maintainers to be considered for merging. label Jan 9, 2021
@zeripath
Copy link
Contributor

zeripath commented Jan 9, 2021

You'll need to check every call to CreateUser and ensure that an empty password cannot be set - for example this code at present will set "" as the password for external users and makes it impossible to detect if a user is an external user through ispasswordset

@6543
Copy link
Member Author

6543 commented Jan 9, 2021

@zeripath why not use the SetPasswort function to check this ☝️ :)

@6543 6543 changed the title [Refactor] Passwort Check func [Refactor] Passwort Hash/Set Jan 9, 2021
zeripath
zeripath reviewed Jan 9, 2021
View reviewed changes
@codecov-io
Copy link

codecov-io commented Jan 9, 2021
edited
Loading

Codecov Report

Merging #14282 (1b611ab) into master (6b3b6f1) will decrease coverage by 0.02%.
The diff coverage is 9.19%.

Impacted file tree graph

@@            Coverage Diff             @@
##           master   #14282      +/-   ##
==========================================
- Coverage   41.81%   41.79%   -0.03%     
==========================================
  Files         743      744       +1     
  Lines       79468    79538      +70     
==========================================
+ Hits        33233    33245      +12     
- Misses      40759    40819      +60     
+ Partials     5476     5474       -2
Impacted Files Coverage Δ
cmd/admin.go 0.00% <0.00%> (ø)
models/login_source.go 27.44% <0.00%> (-0.08%) ⬇️
models/migrations/migrations.go 2.28% <ø> (ø)
models/migrations/v166.go 0.00% <0.00%> (ø)
routers/admin/users.go 38.84% <0.00%> (-0.33%) ⬇️
routers/api/v1/admin/user.go 35.54% <0.00%> (-0.44%) ⬇️
routers/user/auth.go 12.00% <0.00%> (+0.02%) ⬆️
routers/user/setting/account.go 25.12% <0.00%> (-0.39%) ⬇️
models/user.go 54.52% <72.72%> (+0.12%) ⬆️
modules/queue/unique_queue_disk_channel.go 53.84% <0.00%> (-1.54%) ⬇️
... and 6 more

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 6b3b6f1...1b611ab. Read the comment docs.

@GiteaBot GiteaBot added lgtm/need 1 This PR needs approval from one additional maintainer to be merged. and removed lgtm/need 2 This PR needs two approvals by maintainers to be considered for merging. labels Jan 9, 2021
@GiteaBot GiteaBot added lgtm/done This PR has enough approvals to get merged. There are no important open reservations anymore. and removed lgtm/need 1 This PR needs approval from one additional maintainer to be merged. labels Jan 10, 2021
@lafriks lafriks merged commit 74a0481 into go-gitea:master Jan 10, 2021
@lafriks lafriks deleted the passwd-things branch January 10, 2021 18:05
@lafriks lafriks added the skip-changelog This PR is irrelevant for the (next) changelog, for example bug fixes for unreleased features. label Jan 10, 2021
lunny
lunny reviewed Jan 11, 2021
View reviewed changes
a1012112796 added a commit to a1012112796/gitea that referenced this pull request Jan 14, 2021
@a1012112796
Merge branch 'master' into imap
77cedeb 
* master: (252 commits)
  Issues overview should not show issues from archived repos (go-gitea#13220)
  Display SVG files as images instead of text (go-gitea#14101)
  [skip ci] Updated translations via Crowdin
  Update docs to clarify issues raised in go-gitea#14272 (go-gitea#14318)
  [skip ci] Updated translations via Crowdin
  [Refactor] Passwort Hash/Set (go-gitea#14282)
  Add option to change username to the admin panel (go-gitea#14229)
  fix mailIssueCommentBatch for pull request (go-gitea#14252)
  Remove self from MAINTAINERS (go-gitea#14286)
  Do not reload page after adding comments in Pull Request reviews (go-gitea#13877)
  Fix session bug when introduce chi (go-gitea#14287)
  [skip ci] Updated translations via Crowdin
  Add secure/httpOnly attributes to the lang cookie (go-gitea#9690) (go-gitea#14279)
  Some code improvements (go-gitea#14266)
  [skip ci] Updated translations via Crowdin
  Fix wrong type on hooktask to convert typ from char(16) to varchar(16) (go-gitea#14148)
  Upgrade XORM links in documentation. (go-gitea#14265)
  Check permission for the appropriate unit type (go-gitea#14261)
  Add compliance check for windows to ensure cross platform build (go-gitea#14260)
  [skip ci] Updated translations via Crowdin
  ...
@go-gitea go-gitea locked and limited conversation to collaborators Feb 11, 2021
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@lunny lunny lunny left review comments

+2 more reviewers

@zeripath zeripath zeripath approved these changes

@a1012112796 a1012112796 a1012112796 approved these changes

Reviewers whose approvals may not affect merge requirements
Assignees
No one assigned
Labels
lgtm/done This PR has enough approvals to get merged. There are no important open reservations anymore. skip-changelog This PR is irrelevant for the (next) changelog, for example bug fixes for unreleased features. topic/security Something leaks user information or is otherwise vulnerable. Should be fixed! type/refactoring Existing code has been cleaned up. There should be no new functionality.
Projects
None yet
Milestone
1.14.0
Development

Successfully merging this pull request may close these issues.
7 participants
@6543 @zeripath @codecov-io @lunny @a1012112796 @lafriks @GiteaBot