Skip to content

fix issuer of OTP URI should be URI-encoded. #6634

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 5 commits into from
May 27, 2019
Merged

fix issuer of OTP URI should be URI-encoded. #6634

merged 5 commits into from
May 27, 2019

Conversation

huihuimoe
Copy link
Contributor

@huihuimoe huihuimoe commented Apr 15, 2019
edited
Loading

I noticed that the URI of gitea totp 2fa would be failed parsed in some OTP parse libs.

Original URI like this

otpauth://totp/%E5%96%B5%20%E3%81%A8%20Nyaa%20%28https://old.huihui.cat%29:user?algorithm=SHA1&digits=6&issuer=%E5%96%B5+%E3%81%A8+Nyaa+%28https%3A%2F%2Fold.huihui.cat%29&period=30&secret=WHY5IXDH5S73SGA5

: appeared twice and other programs could parse the incorrect issuer here.

Following Google's OTP URI Format,

The label is used to identify which account a key is associated with. It contains an account name, which is a URI-encoded string, optionally prefixed by an issuer string identifying the provider or service managing that account.

@GiteaBot GiteaBot added the lgtm/need 1 This PR needs approval from one additional maintainer to be merged. label Apr 15, 2019
zeripath
zeripath reviewed Apr 15, 2019
View reviewed changes
@jonasfranz jonasfranz added this to the 1.9.0 milestone Apr 15, 2019
@codecov-io
Copy link

codecov-io commented Apr 15, 2019
edited
Loading

Codecov Report

Merging #6634 into master will decrease coverage by <.01%.
The diff coverage is 100%.

Impacted file tree graph

@@            Coverage Diff             @@
##           master    #6634      +/-   ##
==========================================
- Coverage   41.45%   41.44%   -0.01%     
==========================================
  Files         442      442              
  Lines       59610    59611       +1     
==========================================
- Hits        24712    24708       -4     
- Misses      31667    31673       +6     
+ Partials     3231     3230       -1
Impacted Files Coverage Δ
routers/user/setting/security_twofa.go 18.38% <100%> (+0.6%) ⬆️
models/unit.go 62.16% <0%> (-5.41%) ⬇️
routers/repo/view.go 42.02% <0%> (-1.02%) ⬇️
modules/log/colors_router.go 87.5% <0%> (+4.16%) ⬆️

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 2c412f5...9f62295. Read the comment docs.

@zeripath
Copy link
Contributor

Could you give an example of an otp library that doesn't work?

@zeripath
Copy link
Contributor

OK how do we fix this? I think we need to make this issuer label configurable and put a warning in the documentation somewhere that the default may not work on older otp parsing libraries.

@huihuimoe
Copy link
Contributor Author

examples:

OTPAuth.URI.parse("otpauth://totp/%E5%96%B5%20%E3%81%A8%20Nyaa%20%28https://old.huihui.cat%29:user?algorithm=SHA1&digits=6&issuer=%E5%96%B5+%E3%81%A8+Nyaa+%28https%3A%2F%2Fold.huihui.cat%29&period=30&secret=WHY5IXDH5S73SGA5")
Uncaught TypeError: Invalid 'issuer' parameter
    at Function.q.parse (<anonymous>:43:253)
    at <anonymous>:1:13

parse("otpauth://totp/%E5%96%B5%20%E3%81%A8%20Nyaa%20%28https://old.huihui.cat%29:user?algorithm=SHA1&digits=6&issuer=%E5%96%B5+%E3%81%A8+Nyaa+%28https%3A%2F%2Fold.huihui.cat%29&period=30&secret=WHY5IXDH5S73SGA5")
Uncaught n {name: "OtpauthInvalidURL", message: "Given otpauth:// URL is invalid. (Error 1)", errorType: 1}

zeripath
zeripath suggested changes May 27, 2019
View reviewed changes
@GiteaBot GiteaBot added lgtm/done This PR has enough approvals to get merged. There are no important open reservations anymore. and removed lgtm/need 1 This PR needs approval from one additional maintainer to be merged. labels May 27, 2019
@zeripath zeripath merged commit cf3ffeb into go-gitea:master May 27, 2019
jeffliu27 pushed a commit to jeffliu27/gitea that referenced this pull request Jul 18, 2019
@huihuimoe @jeffliu27
fix issuer of OTP URI should be URI-encoded. (go-gitea#6634)
b57e101 
* fix: Issuer of OTP URI should be URI-encoded.

follow this link https://github.com/google/google-authenticator/wiki/Key-Uri-Format .

* filter unsafe character ':' in issuer

* Use Replace rather than ReplaceAll
@go-gitea go-gitea locked and limited conversation to collaborators Nov 24, 2020
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers
3 more reviewers

@mrsdizzie mrsdizzie mrsdizzie left review comments

@zeripath zeripath zeripath approved these changes

@jonasfranz jonasfranz jonasfranz approved these changes

Reviewers whose approvals may not affect merge requirements
Assignees
No one assigned
Labels
lgtm/done This PR has enough approvals to get merged. There are no important open reservations anymore. type/bug
Projects
None yet
Milestone
1.9.0
Development

Successfully merging this pull request may close these issues.
6 participants
@huihuimoe @codecov-io @zeripath @mrsdizzie @jonasfranz @GiteaBot