[PR #4806] [CLOSED] refactoring access token from sha1 to sha1+JWT, with plan for backward compatibility #17503

New Issue

GiteaMirror · 2025-11-02T13:43:22-06:00

GiteaMirror commented

2025-11-02 13:43:22 -06:00

📋 Pull Request Information

Original PR: https://github.com/go-gitea/gitea/pull/4806
Author: @beeonthego
Created: 8/28/2018
Status: ❌ Closed

Base: main ← Head: beeonthego-jwt-ui

📝 Commits (5)

0d4ba78 remove padding from csrf token
ab1c309 Merge pull request #1 from beeonthego/beeonthego-csrf-encoding
696e95f refactoring access token from sha1 to sha1+JWT
867a2b5 restoring csrf in vendor folder
7821867 update property name to wildcardmatch

📊 Changes

1 file changed (+6 additions, -0 deletions)

View changed files

📝 modules/auth/user_form.go (+6 -0)

📄 Description

This is a proposal of the parameters of custom access grants/claims in new JWT access token. This is the first step to start the discussion and PR process.

AccessToken generated can include JWT as content, and sha1 hash of the content for backward compatibility. during transition period, the api/ui can accept old and new sha1, and JWT at the same time. Admin can enforce the use of JWT after the transition period.

Only the token name, claims and sha1 hash will be stored in DB. The meta data is to describe the issued token, but can not be used to authenticate after transition period.

Admin can optionally enable checking the stored sha1 after validating the token with server secret, for extra peace of mind. or turn it off for performance.

_{🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.}

## 📋 Pull Request Information **Original PR:** https://github.com/go-gitea/gitea/pull/4806 **Author:** [@beeonthego](https://github.com/beeonthego) **Created:** 8/28/2018 **Status:** ❌ Closed **Base:** `main` ← **Head:** `beeonthego-jwt-ui` --- ### 📝 Commits (5) - [`0d4ba78`](https://github.com/go-gitea/gitea/commit/0d4ba783eedf5c93bf48ae5200721f91d8af8118) remove padding from csrf token - [`ab1c309`](https://github.com/go-gitea/gitea/commit/ab1c30994e35c93b0f00852feb741fc3dc539d9c) Merge pull request #1 from beeonthego/beeonthego-csrf-encoding - [`696e95f`](https://github.com/go-gitea/gitea/commit/696e95f4887063044ba5dd8128d9523d2710ef4e) refactoring access token from sha1 to sha1+JWT - [`867a2b5`](https://github.com/go-gitea/gitea/commit/867a2b51a28a611c25e79e43fbf44fa3ea6a8d47) restoring csrf in vendor folder - [`7821867`](https://github.com/go-gitea/gitea/commit/782186771126fbe37c4adecad12e7cb84d561d61) update property name to wildcardmatch ### 📊 Changes **1 file changed** (+6 additions, -0 deletions) <details> <summary>View changed files</summary> 📝 `modules/auth/user_form.go` (+6 -0) </details> ### 📄 Description This is a proposal of the parameters of custom access grants/claims in new JWT access token. This is the first step to start the discussion and PR process. AccessToken generated can include JWT as content, and sha1 hash of the content for backward compatibility. during transition period, the api/ui can accept old and new sha1, and JWT at the same time. Admin can enforce the use of JWT after the transition period. Only the token name, claims and sha1 hash will be stored in DB. The meta data is to describe the issued token, but can not be used to authenticate after transition period. Admin can optionally enable checking the stored sha1 after validating the token with server secret, for extra peace of mind. or turn it off for performance. --- <sub>🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.</sub>

GiteaMirror added the pull-request label 2025-11-02 13:43:22 -06:00

GiteaMirror closed this issue

2025-11-02 13:43:26 -06:00

Sign in to join this conversation.

Branches Tags

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/gitea#17503