Closed rkrueger11 closed 4 years ago
Hi @rkrueger11
Why do you include the Security Code in the payload of the session token when responding to the register endpoint? This is not encrypted and can easily be decoded.
Every time a new random security code is generated we generate a session_token
in order to identify that it is the same device that requested a verification.
For example, treat a case when you want to verify the user's phone number before even creating a user account for them. In this case, we want to ensure that the device that triggered the initial request for registration is the same device that is verifying the phone number.
Now, coming to your concern about This is not encrypted and can easily be decoded.
: No, this is not true. session_token
is a JWT that is encrypted with your Django's secret key. So, as long as you protect your secret key, the session_code won't be harmful.
If you expose your secret key, then even the user's information and all of your secret creds are at a risk.
Does this answer your query? Do you have any more questions/concerns?
@CuriousLearner Using this example, the JWT is not encrypted, but signed instead. JWT's can be encrypted.. but are usually not.
Ah, yes, you're right. The session_code are signed JWT tokens.
So then, if I wanted to "verify" a phone number, I could decode the JWT to determine the security code without access to the phone number at all.
The security code should be removed from immediately. I don't follow your use case which would supposedly require it to be passed back to the client.
Sorry, but can you help me with elaborating your statement:
I could decode the JWT to determine the security code without access to the phone number at all.
Sure.
If I wanted to "verify" my account using your phone number, I could:
This is a fundamental security flaw. As such, by using this package you can not guarantee that you are verifying any phone numbers and that the user actually has access to the phone numbers they are entering.
Oh, You're right, Ryan!
Thank you so much for reporting this.
I'm sorry. I've missed this for so long. Would you like to propose a patch? If not, I'll get this done next Tuesday and make a release.
I'm concerned about the security of this application. (or maybe I'm just confused?)
Why do you include the Security Code in the payload of the session token when responding to the register endpoint? This is not encrypted and can easily be decoded.
The end user would not need access to the phone number in order to type in the security code and "verify" they own the phone number.