From 94241daaaa5be1991aafd759acff313b133b7acc Mon Sep 17 00:00:00 2001
From: Jason Song <i@wolfogre.com>
Date: Tue, 15 Nov 2022 11:56:58 +0800
Subject: [PATCH] feat: check runner token

---
 routers/api/bots/runner/unary.go | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/routers/api/bots/runner/unary.go b/routers/api/bots/runner/unary.go
index e880bde7fe..be553d7e26 100644
--- a/routers/api/bots/runner/unary.go
+++ b/routers/api/bots/runner/unary.go
@@ -6,6 +6,7 @@ package runner
 
 import (
 	"context"
+	"crypto/subtle"
 	"strings"
 
 	bots_model "code.gitea.io/gitea/models/bots"
@@ -21,6 +22,7 @@ import (
 const (
 	runnerOnlineTimeDeltaSecs = 30
 	uuidHeaderKey             = "x-runner-uuid"
+	tokenHeaderKey            = "x-runner-token"
 )
 
 var WithRunner = connect.WithInterceptors(connect.UnaryInterceptorFunc(func(unaryFunc connect.UnaryFunc) connect.UnaryFunc {
@@ -29,6 +31,7 @@ var WithRunner = connect.WithInterceptors(connect.UnaryInterceptorFunc(func(unar
 			return unaryFunc(ctx, request)
 		}
 		uuid := request.Header().Get(uuidHeaderKey)
+		token := request.Header().Get(tokenHeaderKey)
 		runner, err := bots_model.GetRunnerByUUID(uuid)
 		if err != nil {
 			if _, ok := err.(bots_model.ErrRunnerNotExist); ok {
@@ -36,6 +39,9 @@ var WithRunner = connect.WithInterceptors(connect.UnaryInterceptorFunc(func(unar
 			}
 			return nil, status.Error(codes.Internal, err.Error())
 		}
+		if subtle.ConstantTimeCompare([]byte(token), []byte(runner.Token)) != 1 {
+			return nil, status.Error(codes.Unauthenticated, "unregistered runner")
+		}
 
 		// update runner online status
 		if runner.Status == runnerv1.RunnerStatus_RUNNER_STATUS_OFFLINE {