Revert "[GITEA] rework long-term authentication"

This reverts commit 8d2dab94a6.

routers/web/auth/auth.go

@@ -5,8 +5,6 @@
 package auth
 
 import (
-	"crypto/subtle"
-	"encoding/hex"
 	"errors"
 	"fmt"
 	"net/http"
@@ -52,47 +50,21 @@ func AutoSignIn(ctx *context.Context) (bool, error) {
 		return false, nil
 	}
 
-	authCookie := ctx.GetSiteCookie(setting.CookieRememberName)
-	if len(authCookie) == 0 {
+	uname := ctx.GetSiteCookie(setting.CookieUserName)
+	if len(uname) == 0 {
 		return false, nil
 	}
 
 	isSucceed := false
 	defer func() {
 		if !isSucceed {
-			log.Trace("Auto login cookie is cleared: %s", authCookie)
+			log.Trace("auto-login cookie cleared: %s", uname)
+			ctx.DeleteSiteCookie(setting.CookieUserName)
 			ctx.DeleteSiteCookie(setting.CookieRememberName)
 		}
 	}()
 
-	lookupKey, validator, found := strings.Cut(authCookie, ":")
-	if !found {
-		return false, nil
-	}
-
-	authToken, err := auth.FindAuthToken(ctx, lookupKey)
-	if err != nil {
-		if errors.Is(err, util.ErrNotExist) {
-			return false, nil
-		}
-		return false, err
-	}
-
-	if authToken.IsExpired() {
-		err = auth.DeleteAuthToken(ctx, authToken)
-		return false, err
-	}
-
-	rawValidator, err := hex.DecodeString(validator)
-	if err != nil {
-		return false, err
-	}
-
-	if subtle.ConstantTimeCompare([]byte(authToken.HashedValidator), []byte(auth.HashValidator(rawValidator))) == 0 {
-		return false, nil
-	}
-
-	u, err := user_model.GetUserByID(ctx, authToken.UID)
+	u, err := user_model.GetUserByName(ctx, uname)
 	if err != nil {
 		if !user_model.IsErrUserNotExist(err) {
 			return false, fmt.Errorf("GetUserByName: %w", err)
@@ -100,11 +72,17 @@ func AutoSignIn(ctx *context.Context) (bool, error) {
 		return false, nil
 	}
 
+	if val, ok := ctx.GetSuperSecureCookie(
+		base.EncodeMD5(u.Rands+u.Passwd), setting.CookieRememberName); !ok || val != u.Name {
+		return false, nil
+	}
+
 	isSucceed = true
 
 	if err := updateSession(ctx, nil, map[string]any{
 		// Set session IDs
-		"uid": authToken.UID,
+		"uid":   u.ID,
+		"uname": u.Name,
 	}); err != nil {
 		return false, fmt.Errorf("unable to updateSession: %w", err)
 	}
@@ -313,10 +291,10 @@ func handleSignIn(ctx *context.Context, u *user_model.User, remember bool) {
 
 func handleSignInFull(ctx *context.Context, u *user_model.User, remember, obeyRedirect bool) string {
 	if remember {
-		if err := ctx.SetLTACookie(u); err != nil {
-			ctx.ServerError("GenerateAuthToken", err)
-			return setting.AppSubURL + "/"
-		}
+		days := 86400 * setting.LogInRememberDays
+		ctx.SetSiteCookie(setting.CookieUserName, u.Name, days)
+		ctx.SetSuperSecureCookie(base.EncodeMD5(u.Rands+u.Passwd),
+			setting.CookieRememberName, u.Name, days)
 	}
 
 	if err := updateSession(ctx, []string{
@@ -329,7 +307,8 @@ func handleSignInFull(ctx *context.Context, u *user_model.User, remember, obeyRe
 		"twofaRemember",
 		"linkAccount",
 	}, map[string]any{
-		"uid": u.ID,
+		"uid":   u.ID,
+		"uname": u.Name,
 	}); err != nil {
 		ctx.ServerError("RegenerateSession", err)
 		return setting.AppSubURL + "/"
@@ -390,6 +369,7 @@ func getUserName(gothUser *goth.User) string {
 func HandleSignOut(ctx *context.Context) {
 	_ = ctx.Session.Flush()
 	_ = ctx.Session.Destroy(ctx.Resp, ctx.Req)
+	ctx.DeleteSiteCookie(setting.CookieUserName)
 	ctx.DeleteSiteCookie(setting.CookieRememberName)
 	ctx.Csrf.DeleteCookie(ctx)
 	middleware.DeleteRedirectToCookie(ctx.Resp)
@@ -752,7 +732,8 @@ func handleAccountActivation(ctx *context.Context, user *user_model.User) {
 	log.Trace("User activated: %s", user.Name)
 
 	if err := updateSession(ctx, nil, map[string]any{
-		"uid": user.ID,
+		"uid":   user.ID,
+		"uname": user.Name,
 	}); err != nil {
 		log.Error("Unable to regenerate session for user: %-v with email: %s: %v", user, user.Email, err)
 		ctx.ServerError("ActivateUserEmail", err)