feat: use runner token hash

routers/api/bots/runner/runner.go

@@ -14,7 +14,6 @@ import (
 	git_model "code.gitea.io/gitea/models/git"
 	user_model "code.gitea.io/gitea/models/user"
 	"code.gitea.io/gitea/models/webhook"
-	"code.gitea.io/gitea/modules/base"
 	"code.gitea.io/gitea/modules/bots"
 	"code.gitea.io/gitea/modules/json"
 	"code.gitea.io/gitea/modules/log"
@@ -82,11 +81,13 @@ func (s *Service) Register(
 		Name:         req.Msg.Name,
 		OwnerID:      runnerToken.OwnerID,
 		RepoID:       runnerToken.RepoID,
-		Token:        base.EncodeSha1(gouuid.New().String())[:36],
 		Status:       runnerv1.RunnerStatus_RUNNER_STATUS_OFFLINE,
 		AgentLabels:  req.Msg.AgentLabels,
 		CustomLabels: req.Msg.CustomLabels,
 	}
+	if err := runner.GenerateToken(); err != nil {
+		return nil, errors.New("can't generate token")
+	}
 
 	// create new runner
 	if err := bots_model.NewRunner(ctx, runner); err != nil {

routers/api/bots/runner/unary.go

@@ -9,6 +9,7 @@ import (
 	"crypto/subtle"
 	"strings"
 
+	auth_model "code.gitea.io/gitea/models/auth"
 	bots_model "code.gitea.io/gitea/models/bots"
 	"code.gitea.io/gitea/modules/log"
 	"code.gitea.io/gitea/modules/timeutil"
@@ -39,7 +40,7 @@ var WithRunner = connect.WithInterceptors(connect.UnaryInterceptorFunc(func(unar
 			}
 			return nil, status.Error(codes.Internal, err.Error())
 		}
-		if subtle.ConstantTimeCompare([]byte(token), []byte(runner.Token)) != 1 {
+		if subtle.ConstantTimeCompare([]byte(runner.TokenHash), []byte(auth_model.HashToken(token, runner.TokenSalt))) != 1 {
 			return nil, status.Error(codes.Unauthenticated, "unregistered runner")
 		}