fix: avoid hash uuid

models/bots/runner.go

@@ -10,16 +10,12 @@ import (
 	"strings"
 	"time"
 
-	auth_model "code.gitea.io/gitea/models/auth"
 	"code.gitea.io/gitea/models/db"
 	repo_model "code.gitea.io/gitea/models/repo"
 	user_model "code.gitea.io/gitea/models/user"
-	"code.gitea.io/gitea/modules/base"
 	"code.gitea.io/gitea/modules/timeutil"
-	"code.gitea.io/gitea/modules/util"
 
 	runnerv1 "code.gitea.io/bots-proto-go/runner/v1"
-	gouuid "github.com/google/uuid"
 	"xorm.io/builder"
 )
 
@@ -147,15 +143,9 @@ func (r *Runner) LoadAttributes(ctx context.Context) error {
 	return nil
 }
 
-func (r *Runner) GenerateToken() error {
+func (r *Runner) GenerateToken() (err error) {
-	salt, err := util.CryptoRandomString(10)
+	r.Token, r.TokenSalt, r.TokenHash, _, err = generateSaltedToken()
-	if err != nil {
 	return err
-	}
-	r.TokenSalt = salt
-	r.Token = base.EncodeSha1(gouuid.New().String())
-	r.TokenHash = auth_model.HashToken(r.Token, r.TokenSalt)
-	return nil
 }
 
 func init() {

models/bots/runner_token.go

@@ -11,10 +11,8 @@ import (
 	"code.gitea.io/gitea/models/db"
 	repo_model "code.gitea.io/gitea/models/repo"
 	user_model "code.gitea.io/gitea/models/user"
-	"code.gitea.io/gitea/modules/base"
 	"code.gitea.io/gitea/modules/timeutil"
-
+	"code.gitea.io/gitea/modules/util"
-	gouuid "github.com/google/uuid"
 )
 
 // ErrRunnerNotExist represents an error for bot runner not exist
@@ -77,13 +75,17 @@ func UpdateRunnerToken(ctx context.Context, r *RunnerToken, cols ...string) (err
 
 // NewRunnerToken creates a new runner token
 func NewRunnerToken(ownerID, repoID int64) (*RunnerToken, error) {
+	token, err := util.CryptoRandomString(40)
+	if err != nil {
+		return nil, err
+	}
 	runnerToken := &RunnerToken{
 		OwnerID:  ownerID,
 		RepoID:   repoID,
 		IsActive: false,
-		Token:    base.EncodeSha1(gouuid.New().String()),
+		Token:    token,
 	}
-	_, err := db.GetEngine(db.DefaultContext).Insert(runnerToken)
+	_, err = db.GetEngine(db.DefaultContext).Insert(runnerToken)
 	return runnerToken, err
 }
 

models/bots/task.go

@@ -17,14 +17,12 @@ import (
 
 	auth_model "code.gitea.io/gitea/models/auth"
 	"code.gitea.io/gitea/models/db"
-	"code.gitea.io/gitea/modules/base"
 	"code.gitea.io/gitea/modules/log"
 	"code.gitea.io/gitea/modules/setting"
 	"code.gitea.io/gitea/modules/timeutil"
 	"code.gitea.io/gitea/modules/util"
 
 	runnerv1 "code.gitea.io/bots-proto-go/runner/v1"
-	gouuid "github.com/google/uuid"
 	lru "github.com/hashicorp/golang-lru"
 	"github.com/nektos/act/pkg/jobparser"
 	"google.golang.org/protobuf/types/known/timestamppb"
@@ -190,16 +188,9 @@ func (task *Task) LoadAttributes(ctx context.Context) error {
 	return nil
 }
 
-func (task *Task) GenerateToken() error {
+func (task *Task) GenerateToken() (err error) {
-	salt, err := util.CryptoRandomString(10)
+	task.Token, task.TokenSalt, task.TokenHash, task.TokenLastEight, err = generateSaltedToken()
-	if err != nil {
 	return err
-	}
-	task.TokenSalt = salt
-	task.Token = base.EncodeSha1(gouuid.New().String())
-	task.TokenHash = auth_model.HashToken(task.Token, task.TokenSalt)
-	task.TokenLastEight = task.Token[len(task.Token)-8:]
-	return nil
 }
 
 type LogIndexes []int64

models/bots/utils.go

@@ -0,0 +1,26 @@
+// Copyright 2022 The Gitea Authors. All rights reserved.
+// Use of this source code is governed by a MIT-style
+// license that can be found in the LICENSE file.
+
+package bots
+
+import (
+	"encoding/hex"
+
+	auth_model "code.gitea.io/gitea/models/auth"
+	"code.gitea.io/gitea/modules/util"
+)
+
+func generateSaltedToken() (string, string, string, string, error) {
+	salt, err := util.CryptoRandomString(10)
+	if err != nil {
+		return "", "", "", "", err
+	}
+	buf, err := util.CryptoRandomBytes(20)
+	if err != nil {
+		return "", "", "", "", err
+	}
+	token := hex.EncodeToString(buf)
+	hash := auth_model.HashToken(token, salt)
+	return token, salt, hash, token[:8], nil
+}