Security issue: scratch tokens are plaintext in the database

• Gitea version (or commit ref): 1.3.1
• Git version: 2.15.1
• Operating system: FreeBSD 11 x64
• Database (use [x]):
  • PostgreSQL
  • MySQL
  • MSSQL
  • SQLite
• Can you reproduce the bug at https://try.gitea.io:
  • Yes (provide example URL)
  • No
  • Not relevant
• Log gist:

Description

User scratch tokens are stored in plain text in the database. These should be encrypted because it will allow anyone with database access to grab the token and bypass 2 factor authentication. While not likely still should be considered an issue. I would also suggest in allowing for more than one token which would all be stored encrypted in some fashion in the database.

Any progress on resolving this?

[lunny]

Any suggest to resolve this problem?

I think for this you could store only the hashed or bcrypted value and handle it like a password. If the user loses said token then they just cannot recover their account, similar to how it works with GitHub if you lose your 2FA token.

[TangentFoxy]

Another +1 for bcrypt as a valid, secure, and tuneable implementation for hashing. ^^

[daviian]

@lunny @Guard13007 @cezar97 I suggest using the same KDF as we do for passwords. So PBKDF2 with SHA256. So we can almost copy/paste the hashing from user creation.

[TangentFoxy]

@daviian That is also a completely valid option. And if it allows for more code re-use, probably a good idea.