Deleted accounts leave OAuth tokens valid #8713

New Issue

Closed

opened 2025-11-02 08:15:20 -06:00 by GiteaMirror · 1 comment

GiteaMirror commented 2025-11-02 08:15:20 -06:00

Owner

Copy Link

Originally created by @kousu on GitHub (Mar 17, 2022).

Gitea Version

Gitea version 1.16.3 built with GNU Make 4.1, go1.17.7 : bindata, sqlite, sqlite_unlock_notify

Git Version

2.25.1

Operating System

Ubuntu 20.04

How are you running Gitea?

Installed with:

# mkdir 
# useradd -m -r -d /srv/gitea gitea
# curl -L https://github.com/go-gitea/gitea/releases/download/v1.16.3/gitea-1.16.3-linux-amd64 -o /srv/gitea/gitea
# chmod +x /srv/gitea/gitea

Run manually with:

# sudo -i gitea
# ./gitea

On:

# cat /etc/os-release 
NAME="Ubuntu"
VERSION="20.04.4 LTS (Focal Fossa)"
ID=ubuntu
ID_LIKE=debian
PRETTY_NAME="Ubuntu 20.04.4 LTS"
VERSION_ID="20.04"
HOME_URL="https://www.ubuntu.com/"
SUPPORT_URL="https://help.ubuntu.com/"
BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/"
PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy"
VERSION_CODENAME=focal
UBUNTU_CODENAME=focal

(and I have an nginx reverse proxy for TLS in front; if you want to see it's config too I can add it)

Database

PostgreSQL

Can you reproduce the bug on the Gitea demo site?

Yes

Log Gist

https://gist.github.com/kousu/7a0adf177e50bf8387a00b4fa3fd7dd3

Description

An OAuth app created by a deleted user is left behind in the database, and tokens it handed out are still valid, and can even see private repos created after the deletion.

Reproduction

1. Make two accounts

   Account 1

   

   Account 2

   

2. In account 1: create an OAuth app

   

3. In account 2: create a couple repositories

   

   You can see this on the demo site at: https://try.gitea.io/bivott82

4. Deploy DroneCI (or some other OAuth consumer), providing it the OAuth app credentials.

   Get a public IP, set up DNS and open firewall ports for :80 and :443, and install docker before running this:

   docker run \
     --volume=/var/lib/drone:/data \
     --env=DRONE_GITEA_SERVER=https://try.gitea.io \
     --env=DRONE_GITEA_CLIENT_ID=4d9b78ea-d8fc-45ed-a11a-ea684a690108 \
     --env=DRONE_GITEA_CLIENT_SECRET=gto_z5tbfeunl4g752hlj5aeoksj25jev7lxblzejdop5sxt76nmacvq \
     --env=DRONE_RPC_SECRET="$(openssl rand -hex 16)" \
     --env=DRONE_SERVER_HOST=drone1.kousu.ca \
     --env=DRONE_SERVER_PROTO=https \
     --env=DRONE_TLS_AUTOCERT=true \
     --publish=80:80 \
     --publish=443:443 \
     --restart=always \
     --detach=true \
     --name=drone \
     drone/drone:2
   

5. In account 2: login to DroneCI; you will see the two repositories:

   

   

   
   

6. In account 1: delete account

   

7. In account 1: create a third repository

   

   You can see this on the demo site at: https://try.gitea.io/bivott82

8. In DroneCI: refresh

   

   You will: incorrectly see the third repository.

   

9. Log out of DroneCI

   

10. Try to login again:

    

    You will: get a half-correct HTTP 500 error from Gitea.

    

    You should be able to see this screen on the demo site at:
    https://try.gitea.io/login/oauth/authorize?client_id=4d9b78ea-d8fc-45ed-a11a-ea684a690108&redirect_uri=https%3A%2F%2Fdrone1.kousu.ca%2Flogin&response_type=code&state=30b95ff183c471d4

11. If you can look in the database:

    You will: see the oauth2_application is still recorded.

    # sudo -u gitea psql -c 'select * from oauth2_application' | tee /dev/null
    id | uid |  name   |              client_id               |                        client_secret                         |           redirect_uris            | created_unix | updated_unix 
    ----+-----+---------+--------------------------------------+--------------------------------------------------------------+------------------------------------+--------------+--------------
      1 |   5 | DroneCI | 3cb8ec3b-5140-4875-bffa-716f9cf1cef7 | $2a$10$L6nyevnaNwKNB3cZc6rhUenodOlZ2DNFr4wIM.jPIP9BULRHRP8QW | ["http://3.98.145.180:8080/login"] |   1647449740 |   1647452962
    (1 row)
    

    even though the associated uid is gone:

    # sudo -u gitea psql -c 'select id,name from public.user where id=5;' | tee /dev/null
    id | name 
    ----+------
    (0 rows)
    

Expected Behaviour

I would expect that deleting a user would delete all access rights that user had.

So, I would expect that deleting a user would delete all OAuth apps in their name and immediately revoke all tokens that were given out to it. The tokens not being revoked means a user can leave a ghost app around, at least

Right now you apparently can't get a new OAuth token issued (👍), but previously issued ones are still valid (👎), meaning someone who phished you into opening their malicious app can hide their tracks.

The HTTP 500 should instead be the standard HTTP 400 with "Client ID not registered":

and clicking "Sync" on Drone (or any similar app) should fail.

Originally created by @kousu on GitHub (Mar 17, 2022). ### Gitea Version Gitea version 1.16.3 built with GNU Make 4.1, go1.17.7 : bindata, sqlite, sqlite_unlock_notify ### Git Version 2.25.1 ### Operating System Ubuntu 20.04 ### How are you running Gitea? Installed with: ``` # mkdir # useradd -m -r -d /srv/gitea gitea # curl -L https://github.com/go-gitea/gitea/releases/download/v1.16.3/gitea-1.16.3-linux-amd64 -o /srv/gitea/gitea # chmod +x /srv/gitea/gitea ``` Run manually with: ``` # sudo -i gitea # ./gitea ``` On: ``` # cat /etc/os-release NAME="Ubuntu" VERSION="20.04.4 LTS (Focal Fossa)" ID=ubuntu ID_LIKE=debian PRETTY_NAME="Ubuntu 20.04.4 LTS" VERSION_ID="20.04" HOME_URL="https://www.ubuntu.com/" SUPPORT_URL="https://help.ubuntu.com/" BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/" PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy" VERSION_CODENAME=focal UBUNTU_CODENAME=focal ``` (and I have an nginx reverse proxy for TLS in front; if you want to see it's config too I can add it) ### Database PostgreSQL ### Can you reproduce the bug on the Gitea demo site? Yes ### Log Gist https://gist.github.com/kousu/7a0adf177e50bf8387a00b4fa3fd7dd3 ### Description An OAuth app created by a deleted user is left behind in the database, and tokens it handed out are still valid, and can even see **private repos** created **after** the deletion. ### Reproduction 1. Make two accounts <details><summary>Account 1</summary>  </details> <details><summary>Account 2</summary>  </details> 2. In account 1: create an OAuth app <details>  </details> 3. In account 2: create a couple repositories <details>  </details> _You can see this on the demo site at_: https://try.gitea.io/bivott82 2. Deploy DroneCI (or some other OAuth consumer), providing it the OAuth app credentials. Get a public IP, set up DNS and open firewall ports for :80 and :443, and install docker before running this: ``` docker run \ --volume=/var/lib/drone:/data \ --env=DRONE_GITEA_SERVER=https://try.gitea.io \ --env=DRONE_GITEA_CLIENT_ID=4d9b78ea-d8fc-45ed-a11a-ea684a690108 \ --env=DRONE_GITEA_CLIENT_SECRET=gto_z5tbfeunl4g752hlj5aeoksj25jev7lxblzejdop5sxt76nmacvq \ --env=DRONE_RPC_SECRET="$(openssl rand -hex 16)" \ --env=DRONE_SERVER_HOST=drone1.kousu.ca \ --env=DRONE_SERVER_PROTO=https \ --env=DRONE_TLS_AUTOCERT=true \ --publish=80:80 \ --publish=443:443 \ --restart=always \ --detach=true \ --name=drone \ drone/drone:2 ``` 5. In account 2: login to DroneCI; you will see the two repositories: <details>     </details> 3. In account 1: delete account <details>  </details> 5. In account 1: create a third repository <details>  </details> _You can see this on the demo site at_: https://try.gitea.io/bivott82 7. In DroneCI: refresh <details>  </details> You will: **incorrectly** see the third repository. <details>  </details> 9. Log out of DroneCI <details>  </details> 11. Try to login again: <details>  </details> You will: get a **half**-correct HTTP 500 error from Gitea. <details>  </details> **You should be able to see this screen on the demo site at:** https://try.gitea.io/login/oauth/authorize?client_id=4d9b78ea-d8fc-45ed-a11a-ea684a690108&redirect_uri=https%3A%2F%2Fdrone1.kousu.ca%2Flogin&response_type=code&state=30b95ff183c471d4 13. If you can look in the database: You will: see the `oauth2_application` is still recorded. ``` # sudo -u gitea psql -c 'select * from oauth2_application' | tee /dev/null id | uid | name | client_id | client_secret | redirect_uris | created_unix | updated_unix ----+-----+---------+--------------------------------------+--------------------------------------------------------------+------------------------------------+--------------+-------------- 1 | 5 | DroneCI | 3cb8ec3b-5140-4875-bffa-716f9cf1cef7 | $2a$10$L6nyevnaNwKNB3cZc6rhUenodOlZ2DNFr4wIM.jPIP9BULRHRP8QW | ["http://3.98.145.180:8080/login"] | 1647449740 | 1647452962 (1 row) ``` even though the associated `uid` is gone: ``` # sudo -u gitea psql -c 'select id,name from public.user where id=5;' | tee /dev/null id | name ----+------ (0 rows) ``` ### Expected Behaviour I would expect that deleting a user would delete all access rights that user had. So, I would expect that deleting a user would delete all OAuth apps in their name **and immediately revoke** all tokens that were given out to it. The tokens not being revoked means a user can leave a ghost app around, at least Right now you apparently can't get a new OAuth token issued (:+1:), but previously issued ones are still valid (:-1:), meaning someone who phished you into opening their malicious app can hide their tracks. The HTTP 500 **should** instead be the standard HTTP 400 with "Client ID not registered":  and clicking "Sync" on Drone (or any similar app) **should fail**.

GiteaMirror added the topic/security label 2025-11-02 08:15:20 -06:00

GiteaMirror closed this issue 2025-11-02 08:15:20 -06:00

GiteaMirror commented 2025-11-02 08:15:21 -06:00

Author

Owner

Copy Link

@kousu commented on GitHub (May 11, 2022):

Thank you for looking into and taking care of this @6543 :)

@kousu commented on GitHub (May 11, 2022): Thank you for looking into and taking care of this @6543 :)

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

main

release/v1.25

release/v1.24

release/v1.23

release/v1.22

release/v1.21

release/v1.20

release/v1.19

release/v1.18

release/v1.17

release/v1.16

release/v1.15

release/v1.14

release/v1.13

release/v1.12

release/v1.11

release/v1.10

release/v1.9

release/v1.8

v1.25.3

v1.25.2

v1.25.1

v1.25.0

v1.24.7

v1.25.0-rc0

v1.26.0-dev

v1.24.6

v1.24.5

v1.24.4

v1.24.3

v1.24.2

v1.24.1

v1.24.0

v1.23.8

v1.24.0-rc0

v1.25.0-dev

v1.23.7

v1.23.6

v1.23.5

v1.23.4

v1.23.3

v1.23.2

v1.23.1

v1.23.0

v1.23.0-rc0

v1.24.0-dev

v1.22.6

v1.22.5

v1.22.4

v1.22.3

v1.22.2

v1.22.1

v1.22.0

v1.23.0-dev

v1.22.0-rc1

v1.21.11

v1.22.0-rc0

v1.21.10

v1.21.9

v1.21.8

v1.21.7

v1.21.6

v1.21.5

v1.21.4

v1.21.3

v1.21.2

v1.20.6

v1.21.1

v1.21.0

v1.21.0-rc2

v1.21.0-rc1

v1.20.5

v1.22.0-dev

v1.21.0-rc0

v1.20.4

v1.20.3

v1.20.2

v1.20.1

v1.20.0

v1.19.4

v1.21.0-dev

v1.20.0-rc2

v1.20.0-rc1

v1.20.0-rc0

v1.19.3

v1.19.2

v1.19.1

v1.19.0

v1.19.0-rc1

v1.20.0-dev

v1.19.0-rc0

v1.18.5

v1.18.4

v1.18.3

v1.18.2

v1.18.1

v1.18.0

v1.17.4

v1.18.0-rc1

v1.19.0-dev

v1.18.0-rc0

v1.17.3

v1.17.2

v1.17.1

v1.17.0

v1.17.0-rc2

v1.16.9

v1.17.0-rc1

v1.18.0-dev

v1.16.8

v1.16.7

v1.16.6

v1.16.5

v1.16.4

v1.16.3

v1.16.2

v1.16.1

v1.16.0

v1.15.11

v1.17.0-dev

v1.16.0-rc1

v1.15.10

v1.15.9

v1.15.8

v1.15.7

v1.15.6

v1.15.5

v1.15.4

v1.15.3

v1.15.2

v1.15.1

v1.14.7

v1.15.0

v1.15.0-rc3

v1.14.6

v1.15.0-rc2

v1.14.5

v1.16.0-dev

v1.15.0-rc1

v1.14.4

v1.14.3

v1.14.2

v1.14.1

v1.14.0

v1.13.7

v1.14.0-rc2

v1.13.6

v1.13.5

v1.14.0-rc1

v1.15.0-dev

v1.13.4

v1.13.3

v1.13.2

v1.13.1

v1.13.0

v1.12.6

v1.13.0-rc2

v1.14.0-dev

v1.13.0-rc1

v1.12.5

v1.12.4

v1.12.3

v1.12.2

v1.12.1

v1.11.8

v1.12.0

v1.11.7

v1.12.0-rc2

v1.11.6

v1.12.0-rc1

v1.13.0-dev

v1.11.5

v1.11.4

v1.11.3

v1.10.6

v1.12.0-dev

v1.11.2

v1.10.5

v1.11.1

v1.10.4

v1.11.0

v1.11.0-rc2

v1.10.3

v1.11.0-rc1

v1.10.2

v1.10.1

v1.10.0

v1.9.6

v1.9.5

v1.10.0-rc2

v1.11.0-dev

v1.10.0-rc1

v1.9.4

v1.9.3

v1.9.2

v1.9.1

v1.9.0

v1.9.0-rc2

v1.10.0-dev

v1.9.0-rc1

v1.8.3

v1.8.2

v1.8.1

v1.8.0

v1.8.0-rc3

v1.7.6

v1.8.0-rc2

v1.7.5

v1.8.0-rc1

v1.9.0-dev

v1.7.4

v1.7.3

v1.7.2

v1.7.1

v1.7.0

v1.7.0-rc3

v1.6.4

v1.7.0-rc2

v1.6.3

v1.7.0-rc1

v1.7.0-dev

v1.6.2

v1.6.1

v1.6.0

v1.6.0-rc2

v1.5.3

v1.6.0-rc1

v1.6.0-dev

v1.5.2

v1.5.1

v1.5.0

v1.5.0-rc2

v1.5.0-rc1

v1.5.0-dev

v1.4.3

v1.4.2

v1.4.1

v1.4.0

v1.4.0-rc3

v1.4.0-rc2

v1.3.3

v1.4.0-rc1

v1.3.2

v1.3.1

v1.3.0

v1.3.0-rc2

v1.3.0-rc1

v1.2.3

v1.2.2

v1.2.1

v1.2.0

v1.2.0-rc3

v1.2.0-rc2

v1.1.4

v1.2.0-rc1

v1.1.3

v1.1.2

v1.1.1

v1.1.0

v1.0.2

v1.0.1

v1.0.0

v0.9.99

Labels

Clear labels

$20

$250

$50

$500

backport/done

💎 Bounty

docs-update-needed

good first issue

hacktoberfest

issue/bounty

issue/confirmed

issue/critical

issue/duplicate

issue/needs-feedback

issue/not-a-bug

issue/regression

issue/stale

issue/workaround

lgtm/need 2

modifies/api

modifies/translation

outdated/backport/v1.18

outdated/theme/markdown

outdated/theme/timetracker

performance/bigrepo

performance/cpu

performance/memory

performance/speed

pr/breaking

proposal/accepted

proposal/rejected

pr/wip

pull-request

Mirrored from GitHub Pull Request

reviewed/wontfix

💰 Rewarded

skip-changelog

status/blocked

topic/accessibility

topic/api

topic/authentication

topic/build

topic/code-linting

topic/commit-signing

topic/content-rendering

topic/deployment

topic/distribution

topic/federation

topic/gitea-actions

topic/issues

topic/lfs

topic/mobile

topic/moderation

topic/packages

topic/pr

topic/projects

topic/repo

topic/repo-migration

topic/security

topic/theme

topic/ui

topic/ui-interaction

topic/ux

topic/webhooks

topic/wiki

type/bug

type/deprecation

type/docs

type/enhancement

type/feature

type/miscellaneous

type/proposal

type/question

type/refactoring

type/summary

type/testing

type/upstream

No Label topic/security

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

GiteaMirror ninjasurge

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/gitea#8713