From 3eaa54cd90b7fffc699b4d15549adb61cd8748c2 Mon Sep 17 00:00:00 2001
From: Zeke Gabrielse <ezekg@yahoo.com>
Date: Tue, 12 Nov 2024 10:11:07 -0600
Subject: [PATCH] add deprecation for v1 tokens

---
 Gemfile                                    | 2 +-
 Gemfile.lock                               | 2 +-
 app/models/concerns/tokenable.rb           | 8 +++++++-
 app/services/license_key_lookup_service.rb | 2 ++
 app/services/token_lookup_service.rb       | 2 ++
 5 files changed, 13 insertions(+), 3 deletions(-)

diff --git a/Gemfile b/Gemfile
index caea774fc8..b92973f5ed 100644
--- a/Gemfile
+++ b/Gemfile
@@ -6,7 +6,7 @@ ruby '3.3.6'
 gem 'rails', '~> 7.2.2'
 gem 'pg', '~> 1.3.4'
 gem 'puma', '~> 6.4.3'
-gem 'bcrypt', '~> 3.1.7'
+gem 'bcrypt', '3.1.17'
 gem 'rack', '~> 2.2.8.1'
 gem 'rack-timeout', require: 'rack/timeout/base'
 unless ENV.key?('NO_RACK_ATTACK')
diff --git a/Gemfile.lock b/Gemfile.lock
index e421d2ee1f..b424765897 100644
--- a/Gemfile.lock
+++ b/Gemfile.lock
@@ -530,7 +530,7 @@ DEPENDENCIES
   ar_lazy_preload (~> 2.0)
   aws-sdk-s3 (~> 1)
   barnes
-  bcrypt (~> 3.1.7)
+  bcrypt (= 3.1.17)
   bullet (~> 7.2)
   byebug
   compact_index
diff --git a/app/models/concerns/tokenable.rb b/app/models/concerns/tokenable.rb
index 16bf71317f..ee795186ab 100644
--- a/app/models/concerns/tokenable.rb
+++ b/app/models/concerns/tokenable.rb
@@ -57,7 +57,13 @@ def compare_hashed_token(attribute, token, version: ALGO_VERSION)
     case version
     when "v1"
       bcrypt = BCrypt::Password.new a
-      b = BCrypt::Engine.hash_secret Digest::SHA256.digest(token), bcrypt.salt
+      digest = Digest::SHA256.digest(token)
+
+      if digest.include?("\x00") # null byte
+        Keygen.logger.warn { "[tokenable] v1 token must be regenerated: tokenable_type=#{self.class.name.inspect} tokenable_id=#{id.inspect} tokenable_attr=#{attribute.inspect}" }
+      end
+
+      b = BCrypt::Engine.hash_secret digest, bcrypt.salt
     when "v2"
       b = OpenSSL::HMAC.hexdigest "SHA512", account.private_key, token
     when "v3"
diff --git a/app/services/license_key_lookup_service.rb b/app/services/license_key_lookup_service.rb
index 46fc0f0e54..f4e05a53be 100644
--- a/app/services/license_key_lookup_service.rb
+++ b/app/services/license_key_lookup_service.rb
@@ -20,6 +20,8 @@ def call
       license = licenses.find_by(id: matches[:license_id])
 
       if license&.compare_hashed_token(:key, key, version: 'v1')
+        Keygen.logger.warn { "[license-key-lookup-service] v1 keys are deprecated and must be regenerated: license_id=#{license.id.inspect}" }
+
         license
       else
         nil
diff --git a/app/services/token_lookup_service.rb b/app/services/token_lookup_service.rb
index af611b1094..0874b71a42 100644
--- a/app/services/token_lookup_service.rb
+++ b/app/services/token_lookup_service.rb
@@ -32,6 +32,8 @@ def call
       instance = tokens.find_by(id: m[:token_id])
 
       if instance&.compare_hashed_token(:digest, token, version: 'v1')
+        Keygen.logger.warn { "[token-lookup-service] v1 tokens are deprecated and must be regenerated: bearer_type=#{instance.bearer.class.name.inspect} bearer_id=#{instance.bearer.id.inspect} token_id=#{instance.id.inspect}" }
+
         instance
       else
         nil