feat: EdDSA token for database leakage/index mitigation

[eternal-flame-AD]

Fixes #325 , supercedes #707

Backend should be working with tests now, I'm currently settling on a timestamp based signature scheme like TOTP with more relaxed window (+-15 minutes for now).

also refactored some tests that used to rely on hijacking the token generation function to be consistency/property based.

[jmattheis]

Could you answer the questions in #966 (comment)?

[jmattheis]

Do we want to include this PR in the Gotify 3 release?

[eternal-flame-AD]

I don't think it's a breaking change so maybe not necessary?

I can work on it a bit more next week and hopefully get a review Friday or so.

[eternal-flame-AD]

Oh actually probably yes we should merge it before v3.. we should do it since it will hide all the new tokens after generation and that might break workflows.

[codecov]

Codecov Report

❌ Patch coverage is 71.42857% with 44 lines in your changes missing coverage. Please review.
✅ Project coverage is 74.33%. Comparing base (8221c0b) to head (44f865a).

Files with missing lines	Patch %	Lines
auth/token.go	77.31%	11 Missing and 11 partials ⚠️
auth/authentication.go	29.41%	10 Missing and 2 partials ⚠️
plugin/example/echo/echo.go	0.00%	3 Missing ⚠️
api/oidc.go	66.66%	1 Missing and 1 partial ⚠️
plugin/testing/mock/mock.go	60.00%	1 Missing and 1 partial ⚠️
runner/runner.go	0.00%	2 Missing ⚠️
plugin/testing/broken/malformedconstructor/main.go	0.00%	1 Missing ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##           master     #971      +/-   ##
==========================================
- Coverage   74.70%   74.33%   -0.38%     
==========================================
  Files          67       66       -1     
  Lines        3357     3444      +87     
==========================================
+ Hits         2508     2560      +52     
- Misses        665      686      +21     
- Partials      184      198      +14     

☔ View full report in Codecov by Harness.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[eternal-flame-AD]

1. I think we could leave the timestamp in but undocumented for now, I like the current shape allows us to adapt to future needs like signed shared message links. It's strictly gated behind a valid verify so it shouldn't open up additional security problems
2. We probably should have some support for token rotation at least for applications (an elevated endpoint for regenerating tokens). I can create an issue for that later.

[Copilot]

Pull request overview

Introduces an Ed25519-based “enhanced token” scheme to mitigate database token leakage by storing a non-secret public form server-side while returning/using a private form client-side (and optionally supporting timestamp signatures). The UI is adjusted to only reveal app/client tokens once at creation time, and the API/docs/tests are updated to reflect the new token lifecycle.

Changes:

• Added EnhancedToken (Ed25519) generation/parsing/signing utilities and updated authentication/token generation to store public-form tokens while issuing private-form tokens to clients (including session cookies).
• Updated API responses and UI to stop displaying tokens in tables and instead show tokens only once on create dialogs; updated UI e2e tests accordingly.
• Refactored Go tests and plugin compat code (e.g., any, slices.Contains, build tags) and updated OpenAPI spec to match token visibility changes.

Reviewed changes

Copilot reviewed 56 out of 56 changed files in this pull request and generated 11 comments.

Show a summary per file

File	Description
ui/src/tests/utils.ts	Updates client table column indices after removing token column.
ui/src/tests/setup.ts	Puppeteer launch config updated (adds Chromium executable path).
ui/src/tests/selector.ts	Adds <p> selector helper for token display assertions.
ui/src/tests/elevation.test.ts	Adjusts flow to finish client creation before assertions.
ui/src/tests/client.test.ts	Updates client creation/update tests for “token shown once” dialog flow.
ui/src/tests/application.test.ts	Updates application tests for “token shown once” dialog flow and removed token column.
ui/src/common/CopyableSecret.tsx	Refactors clipboard copying to shared helper.
ui/src/clipboard.ts	Adds centralized clipboard helper (with fallback).
ui/src/client/ClientStore.ts	Makes create return the newly issued token for one-time display.
ui/src/client/Clients.tsx	Removes token column from client list UI.
ui/src/client/AddClientDialog.tsx	Shows client token only once after creation + copy/select UX.
ui/src/application/AppStore.ts	Makes create return the newly issued token for one-time display.
ui/src/application/Applications.tsx	Removes token column from application list UI.
ui/src/application/AddApplicationDialog.tsx	Shows application token only once after creation + copy/select UX.
test/token.go	Removes old deterministic token generator helper.
test/token_test.go	Removes tests for removed deterministic token helper.
test/asserts.go	Uses any in test helpers.
test/asserts_test.go	Uses any in fake testing helper.
runner/runner.go	Uses strings.CutPrefix for unix address parsing.
router/router_test.go	Integration test updates (currently includes token logging).
plugin/testing/mock/mock.go	Uses slices.Contains and any updates for test plugin mock.
plugin/testing/broken/malformedconstructor/main.go	Uses any return type for malformed constructor plugin.
plugin/manager.go	Updates plugin/app token generation for new token scheme.
plugin/manager_test.go	Updates plugin manager tests for new token generator signature/behavior.
plugin/manager_test_race.go	Removes legacy build tag line.
plugin/manager_test_norace.go	Removes legacy build tag line.
plugin/example/echo/echo.go	Uses any + extras map typing update.
plugin/compat/wrap_test.go	Removes legacy build tag line.
plugin/compat/wrap_test_race.go	Removes legacy build tag line.
plugin/compat/wrap_test_norace.go	Removes legacy build tag line.
plugin/compat/v1.go	Uses any in wrapper config methods.
plugin/compat/v1_test.go	Updates extras map typing to map[string]any.
plugin/compat/instance.go	Uses any and slices.Contains; updates message extras typing.
model/message.go	Updates Extras typing to map[string]any.
model/client.go	Updates swagger annotations (token no longer required).
model/application.go	Updates swagger annotations (token no longer required).
docs/spec.json	Updates OpenAPI spec for token visibility/required fields and security blocks formatting.
database/user.go	Uses any for variadic conditions.
database/database.go	Uses any in gorm logger writer signature.
auth/token.go	Implements Ed25519 enhanced tokens; changes app/client token generation to return public+private forms.
auth/token_test.go	Updates tests for enhanced token parsing/signing (currently includes token logging).
auth/authentication.go	Adds enhanced-token parsing/canonicalization + cookie preservation.
api/user.go	Uses any for variadic conditions in interface.
api/tokens_test.go	Updates token format assertions for enhanced tokens.
api/stream/stream_test.go	Uses any in websocket write stub; adjusts loop syntax.
api/stream/client.go	Uses any in websocket write helper signature.
api/session.go	Stores public token in DB and sets private token in session cookie.
api/session_test.go	Removes token hijacking; asserts session cookie contains enhanced token.
api/oidc.go	Creates client with public token in DB, returns private token for cookie use.
api/oidc_test.go	Removes token hijacking; asserts enhanced token behavior and DB storage.
api/message.go	Uses map[string]any when decoding extras.
api/message_test.go	Updates extras typing to any.
api/client.go	Stores public token in DB, returns private token on create; strips token on list.
api/client_test.go	Updates client tests for public-in-DB/private-in-response behavior.
api/application.go	Stores public token in DB, returns private token on create; strips token on list.
api/application_test.go	Updates application tests for public-in-DB/private-in-response behavior and image dir handling.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[jmattheis]

We probably should have some support for token rotation at least for applications (an elevated endpoint for regenerating tokens). I can create an issue for that later.

Yeah, if the tokens aren't viewable in the UI anymore, this will be necessary for the 3.0 release. Currently, the token column is removed from the table. For existing users this may seem like a bug if there is no replacement. Can be done in a separate issue.

[eternal-flame-AD]

sounds good, let's do it in a separate issue/PR

[jmattheis]

Return the error here too.

[jmattheis]

In the database the public hey is stored in the same format as the private key. When a user inspects the database, it seems like it could be used for authentication, but in reality it's a different key with the same prefix.

Maybe we can differentiate the pub / private key format prefix.

But given that the public key is transferred when using signing it may be okay. What do you think?

[eternal-flame-AD]

I'm not super sure what you are trying to say. Do you mean we shouldn't use the length of the key alone to distinguish private and public keys, or the database shouldn't look confusing to someone trying to recover the credential frm inside the database and would be blocked because of this? For the latter one I would think it doesn't matter that much - the logic is pretty clear to me: if it starts with gtfy then it's an asymetric credential.

If you simply meant the private form could look different - sure ,what do you think would be good? I thought gtfy is a good thing because some users might have already modified the token field to something else, so I wanted some magic string that is not one character.

[jmattheis]

maybe add a omitempty to client/app token. Now it's returned as empty string.

[jmattheis]

Suggested change

	token := NewEnhancedToken("A12")
	token := NewEnhancedToken("a")