Use base32 for 2FA scratch token (#18384)

* Use base32 for 2FA scratch token * rename Secure* to Crypto*, add comments
2025-07-22 18:28:37 +00:00 · 2022-01-26 12:10:10 +08:00
parent 4889ab52de
commit 49dd906753
11 changed files with 41 additions and 37 deletions
--- a/models/auth/twofactor.go
+++ b/models/auth/twofactor.go
@@ -8,6 +8,7 @@ import (
 	"crypto/md5"
 	"crypto/sha256"
 	"crypto/subtle"
+	"encoding/base32"
 	"encoding/base64"
 	"fmt"

@@ -58,11 +59,14 @@ func init() {

 // GenerateScratchToken recreates the scratch token the user is using.
 func (t *TwoFactor) GenerateScratchToken() (string, error) {
-	token, err := util.RandomString(8)
+	tokenBytes, err := util.CryptoRandomBytes(6)
 	if err != nil {
 		return "", err
 	}
-	t.ScratchSalt, _ = util.RandomString(10)
+	// these chars are specially chosen, avoid ambiguous chars like `0`, `O`, `1`, `I`.
+	const base32Chars = "ABCDEFGHJKLMNPQRSTUVWXYZ23456789"
+	token := base32.NewEncoding(base32Chars).WithPadding(base32.NoPadding).EncodeToString(tokenBytes)
+	t.ScratchSalt, _ = util.CryptoRandomString(10)
 	t.ScratchHash = HashToken(token, t.ScratchSalt)
 	return token, nil
 }