Disallow confirmation token reuse #98
Open
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Asserts cookie is http_only, secure, and same-site is "strict". Closes stevepolitodesign#87.
Closes stevepolitodesign#86. The issue is that signed tokens have a simple payload by default that doesn't verify anything other than the record id and the token's purpose. This can lead to a security challenge as the token can be used to confirm anything that has the same "purpose" for that record. An example would be someone changing their email address to an email address that they don't control. Using one account, they change the email to an email address that they control and get the confirmation token. They then change the email to one that they can't access and use the token from the first request to "confirm" the second request. The tokens can be used any number of times as long as they're used before expiration. With this change, the email address is included as plain text in the request, as well as being used as part of the "purpose" in the token. The second request fails because the plain text email address is used to constrain the signed lookup. If they change the plain text email address in the link then the message will fail to be validated as the "purpose" won't match. Either way, the token is usable only for confirming the original email from the token's creation.
|
I wonder if we could use generates_token_for for this? |
|
I didn't notice generates_token_for before. That's essentially the same thing, although oddly it seems to be taking a different code path. I'm not using the confirmation functionality right now but might revisit this when I have time. It looks like the failing test is due to me allowing another change into this PR. Need to work on this. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This fairly complex and kind of ugly change fixes the token reuse issue for email confirmation.