commit 9588300b2310754aad4bb34786bb9b0351f459f5
from: Omar Polo <op@omarpolo.com>
date: Sat Jun 07 10:53:19 2025 UTC

use uid instead of username as string

commit - a0993bddf38dffabddd7d5b9a246f35cc00121ef
commit + 9588300b2310754aad4bb34786bb9b0351f459f5
blob - d0f886fe876d26c60a5fe6f31cf305ca77299395
blob + 2c9b4c7b9ec28cf3ae4da688e73c2b199a61c175
--- gotwebd/auth.c
+++ gotwebd/auth.c
@@ -64,7 +64,7 @@ auth_init(void)
 /*
  * The token format is:
  *
- *    "v1\0"[issued at/64bit][expire/64bit][username]"\0"[host]"\0"
+ *    "v1\0"[issued at/64bit][expire/64bit][uid/64bit][host]"\0"
  *
  * followed by the HMAC-SHA256 of it, all encoded in base64.
  */
@@ -93,7 +93,7 @@ auth_check_token(const char *token)
 
 	/* xxx check for overflow */
 	len = (strlen(token) / 4) * 3;
-	if (len < 21 + 32) /* min length assuming empty username and host */
+	if (len < 28 + 32) /* min length assuming empty username and host */
 		return -1;
 
 	data = malloc(len);
@@ -137,7 +137,7 @@ auth_check_token(const char *token)
 
 /*  */
 static char *
-auth_gen_token(const char *username, const char *hostname)
+auth_gen_token(uint64_t uid, const char *hostname)
 {
 	BIO		*bmem, *b64;
 	BUF_MEM		*bufm;
@@ -146,7 +146,7 @@ auth_gen_token(const char *username, const char *hostn
 	FILE		*fp;
 	char		*tok;
 	uint64_t	 issued, expire; /* assume size_t(time_t) == 8 */
-	size_t		 siz, ulen, hlen;
+	size_t		 siz, hlen;
 	unsigned int	 hmaclen;	/* openssl... */
 
 	issued = time(NULL);
@@ -157,13 +157,12 @@ auth_gen_token(const char *username, const char *hostn
 		return NULL;
 
 	/* include NUL */
-	ulen = strlen(username) + 1;
 	hlen = strlen(hostname) + 1;
 
 	if (fwrite("v1", 1, 3, fp) != 3 ||
 	    fwrite(&issued, 1, 8, fp) != 8 ||
 	    fwrite(&expire, 1, 8, fp) != 8 ||
-	    fwrite(username, 1, ulen, fp) != ulen ||
+	    fwrite(&uid, 1, 8, fp) != 8 ||
 	    fwrite(hostname, 1, hlen, fp) != hlen) {
 		fclose(fp);
 		free(tok);
@@ -410,7 +409,7 @@ client_read(struct bufferevent *bev, void *d)
 		hostname = cmd;
 
 		/* XXX */
-		code = auth_gen_token("op", hostname);
+		code = auth_gen_token(1000, hostname);
 		if (code == NULL) {
 			log_warn("%s: auth_gen_token failed", __func__);
 			client_err(bev, EVBUFFER_READ, client);