go-gitea · 6543 · Feb 4, 2022 · Jan 28, 2022 · Jan 28, 2022 · Jan 28, 2022
diff --git a/models/auth/oauth2.go b/models/auth/oauth2.go
@@ -7,12 +7,12 @@ package auth
 import (
 	"crypto/sha256"
 	"encoding/base64"
+	"encoding/hex"
 	"fmt"
 	"net/url"
 	"strings"
 
 	"code.gitea.io/gitea/models/db"
-	"code.gitea.io/gitea/modules/secret"
 	"code.gitea.io/gitea/modules/timeutil"
 	"code.gitea.io/gitea/modules/util"
 
@@ -59,10 +59,14 @@ func (app *OAuth2Application) ContainsRedirectURI(redirectURI string) bool {
 
 // GenerateClientSecret will generate the client secret and returns the plaintext and saves the hash at the database
 func (app *OAuth2Application) GenerateClientSecret() (string, error) {
-	clientSecret, err := secret.New()
+	rBytes, err := util.CryptoRandomBytes(34)
 	if err != nil {
 		return "", err
 	}
+	// Add a prefix to the hexadecimal, this is in order to make it easier
+	// for code scanners to grab sensitive tokens.
+	clientSecret := "gto_" + hex.EncodeToString(rBytes)
+
 	hashedSecret, err := bcrypt.GenerateFromPassword([]byte(clientSecret), bcrypt.DefaultCost)
 	if err != nil {
 		return "", err
@@ -394,10 +398,14 @@ func (grant *OAuth2Grant) GenerateNewAuthorizationCode(redirectURI, codeChalleng
 }
 
 func (grant *OAuth2Grant) generateNewAuthorizationCode(e db.Engine, redirectURI, codeChallenge, codeChallengeMethod string) (code *OAuth2AuthorizationCode, err error) {
-	var codeSecret string
-	if codeSecret, err = secret.New(); err != nil {
+	rBytes, err := util.CryptoRandomBytes(34)
+	if err != nil {
 		return &OAuth2AuthorizationCode{}, err
 	}
+	// Add a prefix to the hexadecimal, this is in order to make it easier
+	// for code scanners to grab sensitive tokens.
+	codeSecret := "gta_" + hex.EncodeToString(rBytes)
+
 	code = &OAuth2AuthorizationCode{
 		Grant:               grant,
 		GrantID:             grant.ID,

diff --git a/modules/secret/secret.go b/modules/secret/secret.go
@@ -13,20 +13,8 @@ import (
 	"encoding/hex"
 	"errors"
 	"io"
-
-	"code.gitea.io/gitea/modules/util"
 )
 
-// New creates a new secret
-func New() (string, error) {
-	return NewWithLength(44)
-}
-
-// NewWithLength creates a new secret for a given length
-func NewWithLength(length int64) (string, error) {
-	return util.CryptoRandomString(length)
-}
-
 // AesEncrypt encrypts text and given key with AES.
 func AesEncrypt(key, text []byte) ([]byte, error) {
 	block, err := aes.NewCipher(key)

diff --git a/modules/secret/secret_test.go b/modules/secret/secret_test.go
@@ -10,17 +10,6 @@ import (
 	"github.com/stretchr/testify/assert"
 )
 
-func TestNew(t *testing.T) {
-	result, err := New()
-	assert.NoError(t, err)
-	assert.True(t, len(result) == 44)
-
-	result2, err := New()
-	assert.NoError(t, err)
-	// check if secrets
-	assert.NotEqual(t, result, result2)
-}
-
 func TestEncryptDecrypt(t *testing.T) {
 	var hex string
 	var str string