Open IvanAnishchuk opened 5 years ago
ryanpetrello
commented
4 years ago I'm able to reproduce this in another open source project I maintain which uses DOT, and have added code in our project to work around it and properly validate REFRESH_TOKEN_EXPIRE_SECONDS when users attempt to use refresh tokens.
https://github.com/ansible/awx/issues/6630
@synasius @jleclanche this seems like a pretty severe security vulnerability in DOT. Any thoughts?
cristian-home
commented
4 years ago I'm able to reproduce this in another open source project I maintain which uses DOT, and have added code in our project to work around it and properly validate
REFRESH_TOKEN_EXPIRE_SECONDSwhen users attempt to use refresh tokens.@synasius @jleclanche this seems like a pretty severe security vulnerability in DOT. Any thoughts?
I agree, I use DOT to authenticate against a Rest API, and I have a SPA to which I must pass the access_token and the refresh_token, I pass the refresh_token through an httponly cookie and set the expiration time on it. But for the other scenarios where cookies are not used, such as a mobile app or server-to-server communication, the refresh_token will never expire.
There are two things that I noticed around
validate_refresh_token:REFRESH_TOKEN_EXPIRE_SECONDSentirely, regardless of whether it's set refresh tokens seem to work until the end of time (unless revoked or rotated).revokedtimestamp againstREFRESH_TOKEN_GRACE_PERIOD_SECONDSwhich is valid logic when tokens are revoked by rotation but not so much in case of voluntary revocation (logging out).clear_expiredhas two ways of determining which tokens to remove and both of them seem incorrect:revoked__lt=refresh_expire_at-- revoked is set tonowon revocation or rotation butclear_expiredwon't get them until after additionalEXPIRE_SECONDS,access_token__expires__lt=refresh_expire_at-- lets them sit in the database forEXPIRE_SECONDSafter access token expiration, not since the issue time (also if clear_expired is called often enough it's possible that it might remove the expired access token before it considers deleting the corresponding refresh token and the condition would never be met, leaving the refresh token in the db forever and causing other trouble).My proposal:
createdbeforenow() - REFRESH_TOKEN_EXPIRE_SECONDS(possibly- REFRESH_TOKEN_GRACE_PERIOD_SECONDSas well, not sure). Alternatively, see (4)revoked = now()set it tonow() + GRACE_PERIOD(and remove grace period subtraction everywhere, always comparerevokedwithnow) -- this way tokens revoked voluntarily would be revoked immediately but rotated tokens would continue to live until the grace period. Probably by adding an optional argument to therevoke()method (either timedelta/seconds to add or just boolean so that value is fetched from settings instead).createdtime, not (only) the others.RefreshToken.revokedthe same wayAccessToken.expiresis used: if REFRESH_TOKEN_EXPIRE_SECONDS is set, setrevoked = now + EXPIRE_SECONDSon issuing a new token, to simplify the following validation. It would've looked better if the field was calledexpiresthough, but renaming is probably not worth it now. This might be superior to checking anything againstcreatedbecause this way it would be possible to extend expiration time if desired (e.g. on renewal) without having to break the audit trail automagiccreatedtimestamp provides.clear_expired: instead of removing everything that was expired or using expire_seconds settings it can only remove tokens that were expired for longer than a given period (could be a day or even a year, depending on the application's load, we could also try to set some sensible default). it would probably be a good idea not to remove access tokens if they still have a valid refresh token linked to them (required for determining scopes and some other things on renewal). Also, it might make sense to allow introspecting expired tokens, but that's probably not a priority, can't think of a use case for that right now.Thoughts?