From 47f10c03ae22e6d7bea2d32fc3d98005acd96745 Mon Sep 17 00:00:00 2001 From: eikendev Date: Fri, 11 Feb 2022 23:48:08 +0100 Subject: [PATCH 1/3] Fix token lengths --- internal/authentication/token.go | 2 ++ internal/authentication/token_test.go | 11 ++--------- 2 files changed, 4 insertions(+), 9 deletions(-) diff --git a/internal/authentication/token.go b/internal/authentication/token.go index 6edda01..7e91d6f 100644 --- a/internal/authentication/token.go +++ b/internal/authentication/token.go @@ -53,5 +53,7 @@ func GenerateApplicationToken(compat bool) string { tokenLength = compatTokenLength } + tokenLength -= len(applicationTokenPrefix) + return applicationTokenPrefix + generateRandomString(tokenLength) } diff --git a/internal/authentication/token_test.go b/internal/authentication/token_test.go index 83dc891..7e7138e 100644 --- a/internal/authentication/token_test.go +++ b/internal/authentication/token_test.go @@ -1,7 +1,6 @@ package authentication import ( - "log" "testing" "github.com/stretchr/testify/assert" @@ -9,20 +8,14 @@ import ( ) func isGoodToken(assert *assert.Assertions, require *require.Assertions, token string, compat bool) { - prefix := token[0:len(applicationTokenPrefix)] - token = token[len(applicationTokenPrefix):] - - // Although constant at the time of writing, this check should prevent future changes from generating insecure tokens. - if len(token) < 14 { - log.Fatalf("Tokens should have more random characters") - } - if compat { assert.Equal(len(token), compatTokenLength, "Unexpected compatibility token length") } else { assert.Equal(len(token), regularTokenLength, "Unexpected regular token length") } + prefix := token[0:len(applicationTokenPrefix)] + assert.Equal(prefix, applicationTokenPrefix, "Invalid token prefix") for _, c := range []byte(token) { From 500a8cd4b0e4171e386a7ce9c91e0491b5fa7bf7 Mon Sep 17 00:00:00 2001 From: eikendev Date: Sat, 12 Feb 2022 18:58:43 +0100 Subject: [PATCH 2/3] Reintroduce check for minimum token length --- internal/authentication/token_test.go | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/internal/authentication/token_test.go b/internal/authentication/token_test.go index 7e7138e..4e354d1 100644 --- a/internal/authentication/token_test.go +++ b/internal/authentication/token_test.go @@ -7,6 +7,10 @@ import ( "github.com/stretchr/testify/require" ) +const ( + minTokenLength = 14 +) + func isGoodToken(assert *assert.Assertions, require *require.Assertions, token string, compat bool) { if compat { assert.Equal(len(token), compatTokenLength, "Unexpected compatibility token length") @@ -14,6 +18,8 @@ func isGoodToken(assert *assert.Assertions, require *require.Assertions, token s assert.Equal(len(token), regularTokenLength, "Unexpected regular token length") } + assert.GreaterOrEqual(len(token), minTokenLength, "Token is too short to give sufficient entropy") + prefix := token[0:len(applicationTokenPrefix)] assert.Equal(prefix, applicationTokenPrefix, "Invalid token prefix") From be99411b1bafdc67a4d8df4158e3861f185e6002 Mon Sep 17 00:00:00 2001 From: eikendev Date: Sun, 13 Feb 2022 11:55:43 +0100 Subject: [PATCH 3/3] Consider the prefix when testing token length --- Makefile | 6 ++---- internal/authentication/token_test.go | 12 +++++++----- 2 files changed, 9 insertions(+), 9 deletions(-) diff --git a/Makefile b/Makefile index 4567096..e610231 100644 --- a/Makefile +++ b/Makefile @@ -5,14 +5,12 @@ build: .PHONY: test test: - stdout=$$(gofmt -l . 2>&1); \ - if [ "$$stdout" ]; then \ - exit 1; \ - fi + stdout=$$(gofmt -l . 2>&1); if [ "$$stdout" ]; then exit 1; fi go vet ./... gocyclo -over 10 $(shell find . -iname '*.go' -type f) staticcheck ./... go test -v -cover ./... + @printf '\n%s\n' "> Test successful" .PHONY: setup setup: diff --git a/internal/authentication/token_test.go b/internal/authentication/token_test.go index 4e354d1..2993e09 100644 --- a/internal/authentication/token_test.go +++ b/internal/authentication/token_test.go @@ -8,20 +8,22 @@ import ( ) const ( - minTokenLength = 14 + minRandomChars = 14 ) func isGoodToken(assert *assert.Assertions, require *require.Assertions, token string, compat bool) { + tokenLength := len(token) + if compat { - assert.Equal(len(token), compatTokenLength, "Unexpected compatibility token length") + assert.Equal(tokenLength, compatTokenLength, "Unexpected compatibility token length") } else { - assert.Equal(len(token), regularTokenLength, "Unexpected regular token length") + assert.Equal(tokenLength, regularTokenLength, "Unexpected regular token length") } - assert.GreaterOrEqual(len(token), minTokenLength, "Token is too short to give sufficient entropy") + randomChars := tokenLength - len(applicationTokenPrefix) + assert.GreaterOrEqual(randomChars, minRandomChars, "Token is too short to give sufficient entropy") prefix := token[0:len(applicationTokenPrefix)] - assert.Equal(prefix, applicationTokenPrefix, "Invalid token prefix") for _, c := range []byte(token) {