If a row in the two_factor table references a non existent user, it may contain a secret that has an invalid format. Such an orphaned row is never used and should be removed.
Improve the error message to suggest using the doctor to remove it.
Fixes: https://codeberg.org/forgejo/forgejo/issues/6637
## Testing
- make TAGS='sqlite sqlite_unlock_notify' watch
- make TAGS='sqlite sqlite_unlock_notify' forgejo
- sqlite3 data/gitea.db 'INSERT INTO two_factor VALUES( 0, 500, "", "", "", "", 0, 0)'
- ./forgejo doctor check --run check-db-consistency
```
[1] Check consistency of database
- [W] Found 1 Orphaned TwoFactor without existing User
OK
All done (checks: 1).
```
- ./forgejo doctor check --run check-db-consistency --fix
```
[1] Check consistency of database
- [I] Deleted 1 Orphaned TwoFactor without existing User
OK
All done (checks: 1).
```
## Checklist
The [contributor guide](https://forgejo.org/docs/next/contributor/) contains information that will be helpful to first time contributors. There also are a few [conditions for merging Pull Requests in Forgejo repositories](https://codeberg.org/forgejo/governance/src/branch/main/PullRequestsAgreement.md). You are also welcome to join the [Forgejo development chatroom](https://matrix.to/#/#forgejo-development:matrix.org).
### Tests
- I added test coverage for Go changes...
- [ ] in their respective `*_test.go` for unit tests.
- [x] in the `tests/integration` directory if it involves interactions with a live Forgejo server.
- I added test coverage for JavaScript changes...
- [ ] in `web_src/js/*.test.js` if it can be unit tested.
- [ ] in `tests/e2e/*.test.e2e.js` if it requires interactions with a live Forgejo server (see also the [developer guide for JavaScript testing](https://codeberg.org/forgejo/forgejo/src/branch/forgejo/tests/e2e/README.md#end-to-end-tests)).
### Documentation
- [ ] I created a pull request [to the documentation](https://codeberg.org/forgejo/docs) to explain to Forgejo users how to use this change.
- [x] I did not document these changes and I do not expect someone else to do it.
### Release notes
- [ ] I do not want this change to show in the release notes.
- [x] I want the title to show in the release notes with a link to this pull request.
- [ ] I want the content of the `release-notes/<pull request number>.md` to be be used for the release notes instead of the title.
<!--start release-notes-assistant-->
## Release notes
<!--URL:https://codeberg.org/forgejo/forgejo-->
- Bug fixes
- [PR](https://codeberg.org/forgejo/forgejo/pulls/6639): <!--number 6639 --><!--line 0 --><!--description VGVhY2ggdGhlIGRvY3RvciB0byByZW1vdmUgb3JwaGFuZWQgdHdvX2ZhY3RvciB3aXRoIGBmb3JnZWpvIGRvY3RvciBjaGVjayAtLXJ1biBjaGVjay1kYi1jb25zaXN0ZW5jeSAtLWZpeGAuIFN1Y2ggcm93cyBtYXkgY29udGFpbiBpbnZhbGlkIGRhdGEgYW5kIFtibG9jayB0aGUgbWlncmF0aW9uIHRvIHYxMF0oaHR0cHM6Ly9jb2RlYmVyZy5vcmcvZm9yZ2Vqby9mb3JnZWpvL2lzc3Vlcy82NjM3KSB3aXRoIGEgbWVzc2FnZSBzdWNoIGFzIGBmYWlsZWQ6IEFlc0RlY3J5cHQgaW52YWxpZCBkZWNyeXB0ZWQgYmFzZTY0IHN0cmluZzogaWxsZWdhbCBiYXNlNjQgZGF0YSBhdCBpbnB1dCBieXRlIDBgLg==-->Teach the doctor to remove orphaned two_factor with `forgejo doctor check --run check-db-consistency --fix`. Such rows may contain invalid data and [block the migration to v10](https://codeberg.org/forgejo/forgejo/issues/6637) with a message such as `failed: AesDecrypt invalid decrypted base64 string: illegal base64 data at input byte 0`.<!--description-->
<!--end release-notes-assistant-->
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/6639
Reviewed-by: Mathieu Fenniak <mfenniak@noreply.codeberg.org>
Co-authored-by: Earl Warren <contact@earl-warren.org>
Co-committed-by: Earl Warren <contact@earl-warren.org>
Help some users like #16832#1851
There are many users reporting similar problem: if the SECRET_KEY
mismatches, some operations (like 2FA login) only reports unclear 500
error and unclear "base64 decode error" log (some maintainers ever spent
a lot of time on debugging such problem)
The SECRET_KEY was not well-designed and it is also a kind of technical
debt. Since it couldn't be fixed easily, it's good to add clearer error
messages, then at least users could know what the real problem is.
---------
Co-authored-by: delvh <dev.lh@web.de>
minio/sha256-simd provides additional acceleration for SHA256 using
AVX512, SHA Extensions for x86 and ARM64 for ARM.
It provides a drop-in replacement for crypto/sha256 and if the
extensions are not available it falls back to standard crypto/sha256.
---------
Signed-off-by: Andrew Thornton <art27@cantab.net>
Co-authored-by: John Olheiser <john.olheiser@gmail.com>
Change all license headers to comply with REUSE specification.
Fix#16132
Co-authored-by: flynnnnnnnnnn <flynnnnnnnnnn@github>
Co-authored-by: John Olheiser <john.olheiser@gmail.com>
- Switch to use `CryptoRandomBytes` instead of `CryptoRandomString`, OAuth's secrets are copied pasted and don't need to avoid dubious characters etc.
- `CryptoRandomBytes` gives  `CryptoRandomString` gives  possible states.
- Add a prefix, such that code scanners can easily grep these in source code.
- 32 Bytes + prefix
* Use single shared random string generation function
- Replace 3 functions that do the same with 1 shared one
- Use crypto/rand over math/rand for a stronger RNG
- Output only alphanumerical for URL compatibilty
Fixes: #15536
* use const string method
* Update modules/avatar/avatar.go
Co-authored-by: a1012112796 <1012112796@qq.com>
Co-authored-by: a1012112796 <1012112796@qq.com>
