mastodon / mastodon-android

Official Android app for Mastodon
https://app.joinmastodon.org/android
GNU General Public License v3.0
1.72k stars 264 forks source link

Better handle expired token #526

Open xtuc opened 1 year ago

xtuc commented 1 year ago

I'm using the Android app with an Mastodon implementation that use expirable user tokens, I believe the official Mastodon server can be configured to expire tokens too.

For instance, when I try to edit my profile from the app, I see in the server's logs:

GET /api/v1/accounts/verify_credentials 401
Error: JWT has expired.

and the app shows an error: https://user-images.githubusercontent.com/1493671/215757542-862302eb-f43b-4bea-91e8-99330b96073f.jpeg without trying to recover. The only way is to manually logout and login again for a new token.

Note that the app is showing errors everywhere but /api/v1/accounts/verify_credentials is best for demonstration.

The same issue is present on iOS but haven't opened an issue yet.

grishka commented 1 year ago

Mastodon implementation that use expirable user tokens

And it does that to solve what?

xtuc commented 1 year ago

@grishka It's good security practice to periodically rotate private keys and set expiry on tokens.

grishka commented 1 year ago

Again, what is the practical issue that the involvement of time in authentication would solve? "Good security practice" is something merely theoretical. In practice, if someone obtains a device where you're logged in, there are two options:

So, expiring sessions do nothing to protect anyone from anything — they're nothing but an annoyance. So are password expiration policies. Here are my thoughts on authentication involving time formulated more succinctly by a friend (in Russian).

xtuc commented 1 year ago

For more context, the user session tokens we are using are JWT and are signed. It's the signing key pair that is automically and periodically rotated, meaning that after a certain time the JWT can't be verified anymore. Leaking the private key is much worse than a user's JWT, it's good practice to proactively rotate them.

We set the expiry on JWT to have users request a new JWT signed with the new pair of keys. This isn't an annoyance to users as it can be handled behind the scenes. Our problem is that the Mastodon application doesn't allow to relogin once the JWT has expired.

I understand that Mastodon doesn't rely on signed JWT and might not run into this issue.

grishka commented 1 year ago

How do you imagine "relogin behind the scenes" working? The regular login flow involves opening a web browser in which the user enters their credentials and clicks "allow", and then gets redirected back to the app via a custom URL scheme. I'd assume that the browser session would also expire in your setup — so there won't be any way to do it without user interaction.

xtuc commented 1 year ago

"behind the scenes" was maybe a bit optimistic. Similar to the login flow, would it be possible to open a web browser, follow redirections and load cookies left during login? With some authentification provider that would allow to relogin without interaction from the user and worse case the user has to login again.