Security issue: scratch tokens are plaintext in the database #1464

Closed
opened 2025-11-02 04:01:41 -06:00 by GiteaMirror · 6 comments
Owner

Originally created by @ghost on GitHub (Jan 17, 2018).

  • Gitea version (or commit ref): 1.3.1
  • Git version: 2.15.1
  • Operating system: FreeBSD 11 x64
  • Database (use [x]):
    • PostgreSQL
    • MySQL
    • MSSQL
    • SQLite
  • Can you reproduce the bug at https://try.gitea.io:
    • Yes (provide example URL)
    • No
    • Not relevant
  • Log gist:

Description

User scratch tokens are stored in plain text in the database. These should be encrypted because it will allow anyone with database access to grab the token and bypass 2 factor authentication. While not likely still should be considered an issue. I would also suggest in allowing for more than one token which would all be stored encrypted in some fashion in the database.

Originally created by @ghost on GitHub (Jan 17, 2018). - Gitea version (or commit ref): 1.3.1 - Git version: 2.15.1 - Operating system: FreeBSD 11 x64 - Database (use `[x]`): - [x] PostgreSQL - [ ] MySQL - [ ] MSSQL - [ ] SQLite - Can you reproduce the bug at https://try.gitea.io: - [ ] Yes (provide example URL) - [ ] No - [x] Not relevant - Log gist: ## Description User scratch tokens are stored in plain text in the database. These should be encrypted because it will allow anyone with database access to grab the token and bypass 2 factor authentication. While not likely still should be considered an issue. I would also suggest in allowing for more than one token which would all be stored encrypted in some fashion in the database.
GiteaMirror added the type/enhancementtopic/security labels 2025-11-02 04:01:41 -06:00
Author
Owner

@ghost commented on GitHub (Apr 12, 2018):

Any progress on resolving this?

@ghost commented on GitHub (Apr 12, 2018): Any progress on resolving this?
Author
Owner

@lunny commented on GitHub (Apr 12, 2018):

Any suggest to resolve this problem?

@lunny commented on GitHub (Apr 12, 2018): Any suggest to resolve this problem?
Author
Owner

@ghost commented on GitHub (Apr 22, 2018):

I think for this you could store only the hashed or bcrypted value and handle it like a password. If the user loses said token then they just cannot recover their account, similar to how it works with GitHub if you lose your 2FA token.

@ghost commented on GitHub (Apr 22, 2018): I think for this you could store only the hashed or bcrypted value and handle it like a password. If the user loses said token then they just cannot recover their account, similar to how it works with GitHub if you lose your 2FA token.
Author
Owner

@TangentFoxy commented on GitHub (May 5, 2018):

Another +1 for bcrypt as a valid, secure, and tuneable implementation for hashing. ^^

@TangentFoxy commented on GitHub (May 5, 2018): Another +1 for bcrypt as a valid, secure, and tuneable implementation for hashing. \^\^
Author
Owner

@daviian commented on GitHub (May 5, 2018):

@lunny @Guard13007 @cezar97 I suggest using the same KDF as we do for passwords. So PBKDF2 with SHA256. So we can almost copy/paste the hashing from user creation.

@daviian commented on GitHub (May 5, 2018): @lunny @Guard13007 @cezar97 I suggest using the same KDF as we do for passwords. So PBKDF2 with SHA256. So we can almost copy/paste the hashing from user creation.
Author
Owner

@TangentFoxy commented on GitHub (May 7, 2018):

@daviian That is also a completely valid option. And if it allows for more code re-use, probably a good idea.

@TangentFoxy commented on GitHub (May 7, 2018): @daviian That is also a completely valid option. And if it allows for more code re-use, probably a good idea.
Sign in to join this conversation.
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: github-starred/gitea#1464