• Describe the bug
    The decodeCookie method in AbstractRememberMeServices attempts to pad the cookie value for Base64 decoding. However, the current implementation may not correctly calculate the padding needed to ensure the string length is a multiple of 4, which is a requirement for Base64 decoding.

    Current Implementation

    for (int j = 0; j < cookieValue.length() % 4; j++) {
        cookieValue = cookieValue + "=";
    }

    To Reproduce
    Steps to reproduce the behavior.

    1. Pass a cookie value whose length modulo 4 is not 0 to the decodeCookie method without the correct padding.
    2. Observe the IllegalArgumentException due to invalid Base64 string format.

    Expected behavior
    The method should add padding characters so that the length of cookieValue becomes a multiple of 4 to adhere to Base64 decoding requirements. The padding should be calculated as 4 - (cookieValue.length() % 4) and should only add padding if the result is less than 4.

    Impact
    Without this fix, the decodeCookie method may throw IllegalArgumentException when attempting to decode improperly padded Base64 strings, leading to unhandled exceptions and potential disruptions in the remember-me authentication flow.

    Sample
    The 123 bit base64 encoding here

    YWRtaW46MTcxODk2NDE3NDgwODpTSEEtMjU2OmNkOTM0ZTAyZWQ4NGJmMzc1ZTA4MmE1OWU4YTA3NTNiMzA3ODg1MjZmYzA3YjgyYzVmY2Y3YmJiYzdjYzRkNWU
    

    will become the following code after passing through that section of code:

    YWRtaW46MTcxODk2NDE3NDgwODpTSEEtMjU2OmNkOTM0ZTAyZWQ4NGJmMzc1ZTA4MmE1OWU4YTA3NTNiMzA3ODg1MjZmYzA3YjgyYzVmY2Y3YmJiYzdjYzRkNWU===
    

    but the expected result should be

    YWRtaW46MTcxODk2NDE3NDgwODpTSEEtMjU2OmNkOTM0ZTAyZWQ4NGJmMzc1ZTA4MmE1OWU4YTA3NTNiMzA3ODg1MjZmYzA3YjgyYzVmY2Y3YmJiYzdjYzRkNWU=
    

    If it is confirmed that this is a problem, I am willing to try to solve it

    0 0
  • 0 0
  • @guqing guqing pushed to feature/remember-me in guqing/halo

    Below is the list of commits:

    • refactor: logout for remember me (7a0d4a1)
    0 0
  • @guqing guqing pushed to feature/remember-me in guqing/halo

    Below is the list of commits:

    • pref: optimize code block backspace shortcut key logic (#5936) (b762a9d)
    • fix: deleting selected text in a list with the backspace key causes the list to revert (#5938) (d29da31)
    • refactor: improve code base of post category-related (#5958) (9bfe3a6)
    • Unify security configurations into one (#5961) (bbc5c97)
    • feat: add remember-me mechanism to enhance user login experience (f334069)
    • Merge remote-tracking branch 'upstream/main' into feature/remember-me (5d44445)
    0 0
  • @guqing guqing commented on issue #5929 in halo-dev/halo

    /hold 经过探讨发现通过 session 的 cookie 来实现 remember me 很容易被覆盖比如 totp,因此此 PR 将实现 Token Based 的方式来使用一个新的 cookie 值避免被影响

    0 0
  • @guqing guqing created a review on pull request #5961 in halo-dev/halo

    /approve

    0 0
  • @guqing guqing created a review on pull request #5958 in halo-dev/halo
    0 0
  • @guqing guqing created a review on pull request #5936 in halo-dev/halo

    /lgtm

    0 0
  • @guqing guqing commented on issue #5929 in halo-dev/halo
    0 0
  • @guqing guqing created a review on pull request #87 in halo-sigs/awesome-halo

    /lgtm
    /release-note-none

    0 0