code.gitea.io/gitea@v1.22.3/modules/generate/generate.go

code.gitea.io/gitea@v1.22.3/modules/generate/generate.go (about)

     1  // Copyright 2016 The Gogs Authors. All rights reserved.
     2  // Copyright 2016 The Gitea Authors. All rights reserved.
     3  // SPDX-License-Identifier: MIT
     4  
     5  package generate
     6  
     7  import (
     8  	"crypto/rand"
     9  	"encoding/base64"
    10  	"fmt"
    11  	"io"
    12  	"time"
    13  
    14  	"code.gitea.io/gitea/modules/util"
    15  
    16  	"github.com/golang-jwt/jwt/v5"
    17  )
    18  
    19  // NewInternalToken generate a new value intended to be used by INTERNAL_TOKEN.
    20  func NewInternalToken() (string, error) {
    21  	secretBytes := make([]byte, 32)
    22  	_, err := io.ReadFull(rand.Reader, secretBytes)
    23  	if err != nil {
    24  		return "", err
    25  	}
    26  
    27  	secretKey := base64.RawURLEncoding.EncodeToString(secretBytes)
    28  
    29  	now := time.Now()
    30  
    31  	var internalToken string
    32  	internalToken, err = jwt.NewWithClaims(jwt.SigningMethodHS256, jwt.MapClaims{
    33  		"nbf": now.Unix(),
    34  	}).SignedString([]byte(secretKey))
    35  	if err != nil {
    36  		return "", err
    37  	}
    38  
    39  	return internalToken, nil
    40  }
    41  
    42  const defaultJwtSecretLen = 32
    43  
    44  // DecodeJwtSecretBase64 decodes a base64 encoded jwt secret into bytes, and check its length
    45  func DecodeJwtSecretBase64(src string) ([]byte, error) {
    46  	encoding := base64.RawURLEncoding
    47  	decoded := make([]byte, encoding.DecodedLen(len(src))+3)
    48  	if n, err := encoding.Decode(decoded, []byte(src)); err != nil {
    49  		return nil, err
    50  	} else if n != defaultJwtSecretLen {
    51  		return nil, fmt.Errorf("invalid base64 decoded length: %d, expects: %d", n, defaultJwtSecretLen)
    52  	}
    53  	return decoded[:defaultJwtSecretLen], nil
    54  }
    55  
    56  // NewJwtSecretWithBase64 generates a jwt secret with its base64 encoded value intended to be used for saving into config file
    57  func NewJwtSecretWithBase64() ([]byte, string, error) {
    58  	bytes := make([]byte, defaultJwtSecretLen)
    59  	_, err := io.ReadFull(rand.Reader, bytes)
    60  	if err != nil {
    61  		return nil, "", err
    62  	}
    63  	return bytes, base64.RawURLEncoding.EncodeToString(bytes), nil
    64  }
    65  
    66  // NewSecretKey generate a new value intended to be used by SECRET_KEY.
    67  func NewSecretKey() (string, error) {
    68  	secretKey, err := util.CryptoRandomString(64)
    69  	if err != nil {
    70  		return "", err
    71  	}
    72  
    73  	return secretKey, nil
    74  }