Merge pull request #39 from pushbits/fix-token-length

Fix token lengths
2025-04-29 18:26:49 +02:00 · 2022-02-13 12:28:01 +01:00 · 2022-02-13 12:28:01 +01:00 · 21afef0128
commit 21afef0128
parent 56f39cf64c be99411b1b
3 changed files with 15 additions and 14 deletions
--- a/6
+++ b/6
@ -5,14 +5,12 @@ build:

 .PHONY: test
 test:
-	stdout=$$(gofmt -l . 2>&1); \
-	if [ "$$stdout" ]; then \
-		exit 1; \
-	fi
+	stdout=$$(gofmt -l . 2>&1); if [ "$$stdout" ]; then exit 1; fi
 	go vet ./...
 	gocyclo -over 10 $(shell find . -iname '*.go' -type f)
 	staticcheck ./...
 	go test -v -cover ./...
+	@printf '\n%s\n' "> Test successful"

 .PHONY: setup
 setup:
--- a/internal/authentication/token.go
+++ b/internal/authentication/token.go
@ -53,5 +53,7 @@ func GenerateApplicationToken(compat bool) string {
 		tokenLength = compatTokenLength
 	}

+	tokenLength -= len(applicationTokenPrefix)
+
 	return applicationTokenPrefix + generateRandomString(tokenLength)
 }
--- a/internal/authentication/token_test.go
+++ b/internal/authentication/token_test.go
@ -1,28 +1,29 @@
 package authentication

 import (
-	"log"
 	"testing"

 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 )

-func isGoodToken(assert *assert.Assertions, require *require.Assertions, token string, compat bool) {
-	prefix := token[0:len(applicationTokenPrefix)]
-	token = token[len(applicationTokenPrefix):]
+const (
+	minRandomChars = 14
+)

-	// Although constant at the time of writing, this check should prevent future changes from generating insecure tokens.
-	if len(token) < 14 {
-		log.Fatalf("Tokens should have more random characters")
-	}
+func isGoodToken(assert *assert.Assertions, require *require.Assertions, token string, compat bool) {
+	tokenLength := len(token)

 	if compat {
-		assert.Equal(len(token), compatTokenLength, "Unexpected compatibility token length")
+		assert.Equal(tokenLength, compatTokenLength, "Unexpected compatibility token length")
 	} else {
-		assert.Equal(len(token), regularTokenLength, "Unexpected regular token length")
+		assert.Equal(tokenLength, regularTokenLength, "Unexpected regular token length")
 	}

+	randomChars := tokenLength - len(applicationTokenPrefix)
+	assert.GreaterOrEqual(randomChars, minRandomChars, "Token is too short to give sufficient entropy")
+
+	prefix := token[0:len(applicationTokenPrefix)]
 	assert.Equal(prefix, applicationTokenPrefix, "Invalid token prefix")

 	for _, c := range []byte(token) {