feat: EdDSA token for database leakage/index mitigation#971
Open
eternal-flame-AD wants to merge 8 commits into
Open
feat: EdDSA token for database leakage/index mitigation#971eternal-flame-AD wants to merge 8 commits into
eternal-flame-AD wants to merge 8 commits into
Conversation
eternal-flame-AD
force-pushed
the
pk-token
branch
from
a1ebdd4 to
6e5d835
Compare
eternal-flame-AD
force-pushed
the
pk-token
branch
from
6e5d835 to
131aa21
Compare
Member
|
Could you answer the questions in #966 (comment)? |
jmattheis
reviewed
Jun 20, 2026
| @@ -16,7 +16,7 @@ var ping = func(conn *websocket.Conn) error { | |||
| return conn.WriteMessage(websocket.PingMessage, nil) | |||
Member
There was a problem hiding this comment.
Do we want to include this PR in the Gotify 3 release?
Member
Author
There was a problem hiding this comment.
I don't think it's a breaking change so maybe not necessary?
I can work on it a bit more next week and hopefully get a review Friday or so.
Member
Author
There was a problem hiding this comment.
Oh actually probably yes we should merge it before v3.. we should do it since it will hide all the new tokens after generation and that might break workflows.
Codecov Report❌ Patch coverage is Additional details and impacted files@@ Coverage Diff @@
## master #971 +/- ##
==========================================
- Coverage 74.70% 74.39% -0.32%
==========================================
Files 67 66 -1
Lines 3357 3441 +84
==========================================
+ Hits 2508 2560 +52
- Misses 665 683 +18
- Partials 184 198 +14 ☔ View full report in Codecov by Harness. 🚀 New features to boost your workflow:
|
eternal-flame-AD
force-pushed
the
pk-token
branch
from
9a5063f to
9fa0dec
Compare
Member
Author
|
There was a problem hiding this comment.
Pull request overview
Introduces an Ed25519-based “enhanced token” scheme to mitigate database token leakage by storing a non-secret public form server-side while returning/using a private form client-side (and optionally supporting timestamp signatures). The UI is adjusted to only reveal app/client tokens once at creation time, and the API/docs/tests are updated to reflect the new token lifecycle.
Changes:
- Added
EnhancedToken(Ed25519) generation/parsing/signing utilities and updated authentication/token generation to store public-form tokens while issuing private-form tokens to clients (including session cookies). - Updated API responses and UI to stop displaying tokens in tables and instead show tokens only once on create dialogs; updated UI e2e tests accordingly.
- Refactored Go tests and plugin compat code (e.g.,
any,slices.Contains, build tags) and updated OpenAPI spec to match token visibility changes.
Reviewed changes
Copilot reviewed 56 out of 56 changed files in this pull request and generated 11 comments.
Show a summary per file
| File | Description |
|---|---|
| ui/src/tests/utils.ts | Updates client table column indices after removing token column. |
| ui/src/tests/setup.ts | Puppeteer launch config updated (adds Chromium executable path). |
| ui/src/tests/selector.ts | Adds <p> selector helper for token display assertions. |
| ui/src/tests/elevation.test.ts | Adjusts flow to finish client creation before assertions. |
| ui/src/tests/client.test.ts | Updates client creation/update tests for “token shown once” dialog flow. |
| ui/src/tests/application.test.ts | Updates application tests for “token shown once” dialog flow and removed token column. |
| ui/src/common/CopyableSecret.tsx | Refactors clipboard copying to shared helper. |
| ui/src/clipboard.ts | Adds centralized clipboard helper (with fallback). |
| ui/src/client/ClientStore.ts | Makes create return the newly issued token for one-time display. |
| ui/src/client/Clients.tsx | Removes token column from client list UI. |
| ui/src/client/AddClientDialog.tsx | Shows client token only once after creation + copy/select UX. |
| ui/src/application/AppStore.ts | Makes create return the newly issued token for one-time display. |
| ui/src/application/Applications.tsx | Removes token column from application list UI. |
| ui/src/application/AddApplicationDialog.tsx | Shows application token only once after creation + copy/select UX. |
| test/token.go | Removes old deterministic token generator helper. |
| test/token_test.go | Removes tests for removed deterministic token helper. |
| test/asserts.go | Uses any in test helpers. |
| test/asserts_test.go | Uses any in fake testing helper. |
| runner/runner.go | Uses strings.CutPrefix for unix address parsing. |
| router/router_test.go | Integration test updates (currently includes token logging). |
| plugin/testing/mock/mock.go | Uses slices.Contains and any updates for test plugin mock. |
| plugin/testing/broken/malformedconstructor/main.go | Uses any return type for malformed constructor plugin. |
| plugin/manager.go | Updates plugin/app token generation for new token scheme. |
| plugin/manager_test.go | Updates plugin manager tests for new token generator signature/behavior. |
| plugin/manager_test_race.go | Removes legacy build tag line. |
| plugin/manager_test_norace.go | Removes legacy build tag line. |
| plugin/example/echo/echo.go | Uses any + extras map typing update. |
| plugin/compat/wrap_test.go | Removes legacy build tag line. |
| plugin/compat/wrap_test_race.go | Removes legacy build tag line. |
| plugin/compat/wrap_test_norace.go | Removes legacy build tag line. |
| plugin/compat/v1.go | Uses any in wrapper config methods. |
| plugin/compat/v1_test.go | Updates extras map typing to map[string]any. |
| plugin/compat/instance.go | Uses any and slices.Contains; updates message extras typing. |
| model/message.go | Updates Extras typing to map[string]any. |
| model/client.go | Updates swagger annotations (token no longer required). |
| model/application.go | Updates swagger annotations (token no longer required). |
| docs/spec.json | Updates OpenAPI spec for token visibility/required fields and security blocks formatting. |
| database/user.go | Uses any for variadic conditions. |
| database/database.go | Uses any in gorm logger writer signature. |
| auth/token.go | Implements Ed25519 enhanced tokens; changes app/client token generation to return public+private forms. |
| auth/token_test.go | Updates tests for enhanced token parsing/signing (currently includes token logging). |
| auth/authentication.go | Adds enhanced-token parsing/canonicalization + cookie preservation. |
| api/user.go | Uses any for variadic conditions in interface. |
| api/tokens_test.go | Updates token format assertions for enhanced tokens. |
| api/stream/stream_test.go | Uses any in websocket write stub; adjusts loop syntax. |
| api/stream/client.go | Uses any in websocket write helper signature. |
| api/session.go | Stores public token in DB and sets private token in session cookie. |
| api/session_test.go | Removes token hijacking; asserts session cookie contains enhanced token. |
| api/oidc.go | Creates client with public token in DB, returns private token for cookie use. |
| api/oidc_test.go | Removes token hijacking; asserts enhanced token behavior and DB storage. |
| api/message.go | Uses map[string]any when decoding extras. |
| api/message_test.go | Updates extras typing to any. |
| api/client.go | Stores public token in DB, returns private token on create; strips token on list. |
| api/client_test.go | Updates client tests for public-in-DB/private-in-response behavior. |
| api/application.go | Stores public token in DB, returns private token on create; strips token on list. |
| api/application_test.go | Updates application tests for public-in-DB/private-in-response behavior and image dir handling. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Fixes #325 , supercedes #707
Backend should be working with tests now, I'm currently settling on a timestamp based signature scheme like TOTP with more relaxed window (+-15 minutes for now).
also refactored some tests that used to rely on hijacking the token generation function to be consistency/property based.