WebAuthn CredentialID field needs to be increased in size #20530
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
WebAuthn have updated their specification to set the maximum size of the CredentialID to 1023 bytes. This is somewhat larger than our current size and therefore we need to migrate. Fix go-gitea#20457 Signed-off-by: Andrew Thornton <[email protected]>
|
Yes this has a migration. I suggest we just port the back the unnecessary migration that is between these two and/or the associated PR. |
GiteaBot
added
the
lgtm/need 2
GiteaBot
added
lgtm/need 1
Gusted
approved these changes
Jul 28, 2022
GiteaBot
added
lgtm/done
6543
reviewed
Jul 28, 2022
|
LGTM, how about setting the length to a large-enough value, like 8000? There should be no difference between 1640 and 8000 on database side, then no worry about overflowing anymore. |
|
The field is indexed and is searched directly so it's potentially bad on db systems like MySQL which store the value directly within the index. I'm not sure if these would store the max string size eg. 8000 bytes or whether they'd just store the string. If it's just the string then it's no worse but I don't know. The spec has written clearly that this is at most 1023 bytes - previously it wasn't very clear on this hence the change. I guess the question is are they likely to increase it? My suspicion is we'd get more forewarning in that case. I think if they do increase it again we're probably gonna need to think again about how we implement this. It could be that at that point we'd need to be doing shasums of the credential id searching for that and then doing equality of the credential id - if only to keep the index from being too large. |
|
And in fact I think we've hit the problem I was referring to. Looking at the tests I see: Sigh I think we're going to need to do a bit more work here. |
…bauthn-credential-field
Merged
Signed-off-by: Andrew Thornton <[email protected]>
|
OK I've had to do something a lot more horrible because of MySQL's index issue. |
Signed-off-by: Andrew Thornton <[email protected]>
Signed-off-by: Andrew Thornton <[email protected]>
Signed-off-by: Andrew Thornton <[email protected]>
Signed-off-by: Andrew Thornton <[email protected]>
Signed-off-by: Andrew Thornton <[email protected]>
Signed-off-by: Andrew Thornton <[email protected]>
Gusted
reviewed
Jul 29, 2022
Signed-off-by: Andrew Thornton <[email protected]>
zeripath
commented
Jul 29, 2022
6543
reviewed
Jul 30, 2022
6543
reviewed
Jul 30, 2022
6543
approved these changes
Jul 30, 2022
|
🚀 |
6543
pushed a commit
to 6543-forks/gitea
that referenced
this pull request
Jul 30, 2022
…0530) WebAuthn have updated their specification to set the maximum size of the CredentialID to 1023 bytes. This is somewhat larger than our current size and therefore we need to migrate. The PR changes the struct to add CredentialIDBytes and migrates the CredentialID string to the bytes field before another migration drops the old CredentialID field. Another migration renames this field back. Fix go-gitea#20457 Signed-off-by: Andrew Thornton <[email protected]>
6543
added a commit
that referenced
this pull request
Jul 30, 2022
…20555) WebAuthn have updated their specification to set the maximum size of the CredentialID to 1023 bytes. This is somewhat larger than our current size and therefore we need to migrate. The PR changes the struct to add CredentialIDBytes and migrates the CredentialID string to the bytes field before another migration drops the old CredentialID field. Another migration renames this field back. Fix #20457 Signed-off-by: Andrew Thornton <[email protected]> Co-authored-by: zeripath <[email protected]>
zjjhot
added a commit
to zjjhot/gitea
that referenced
this pull request
Aug 1, 2022
* giteaofficial/main: (29 commits) [skip ci] Updated translations via Crowdin Support localized README (go-gitea#20508) Clean up and fix clone button script (go-gitea#20415) Add disable download source configuration (go-gitea#20548) Fix default merge style (go-gitea#20564) Update login methods in package docs (go-gitea#20561) Add missing Tabs on organisation/package view (Frontport go-gitea#20539) (go-gitea#20540) [skip ci] Updated licenses and gitignores Add setting `SQLITE_JOURNAL_MODE` to enable WAL (go-gitea#20535) Rework file highlight rendering and fix yaml copy-paste (go-gitea#19967) Add new API endpoints for push mirrors management (go-gitea#19841) WebAuthn CredentialID field needs to be increased in size (go-gitea#20530) Add latest commit's SHA to content response (go-gitea#20398) Improve token and secret key generation docs (go-gitea#20387) [skip ci] Updated translations via Crowdin Rework raw file http header logic (go-gitea#20484) Update lunny/levelqueue to prevent NPE when reads are performed after close (go-gitea#20534) Added guidance on file to choose to download (go-gitea#20474) [skip ci] Updated translations via Crowdin Ensure that all unmerged files are merged when conflict checking (go-gitea#20528) ...
vsysoev
pushed a commit
to IntegraSDL/gitea
that referenced
this pull request
Aug 10, 2022
…0530) WebAuthn have updated their specification to set the maximum size of the CredentialID to 1023 bytes. This is somewhat larger than our current size and therefore we need to migrate. The PR changes the struct to add CredentialIDBytes and migrates the CredentialID string to the bytes field before another migration drops the old CredentialID field. Another migration renames this field back. Fix go-gitea#20457 Signed-off-by: Andrew Thornton <[email protected]>
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
WebAuthn have updated their specification to set the maximum size of the
CredentialID to 1023 bytes. This is somewhat larger than our current
size and therefore we need to migrate.
The PR changes the struct to add CredentialIDBytes and migrates the CredentialID string
to the bytes field before another migration drops the old CredentialID field. Another migration
renames this field back.
Fix #20457
Signed-off-by: Andrew Thornton [email protected]