Use UUIDs as indentifiers for sessions in public (#176)

mikker · Nov 7, 2023 · 3af9774 · 3af9774
1 parent 8855a80
commit 3af9774
Show file tree

Hide file tree

Showing 12 changed files with 45 additions and 23 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -2,6 +2,21 @@
 
 # Unreleased
 
+### Changed
+
+Sessions are now referenced publicly by a random UUID instead of their primary key.
+
+This needs a manual database migration like so:
+
+```ruby
+class AddIndentifierToPasswordlessSessions < ActiveRecord::Migration[7.1]
+ def change
+ add_column(:passwordless_sessions, :identifier, :string)
+ add_index(:passwordless_sessions, :identifier, unique: true)
+ end
+end
+```
+
 ### Added
 
 - Add default flash notice for sign out (#178)

diff --git a/app/controllers/passwordless/sessions_controller.rb b/app/controllers/passwordless/sessions_controller.rb
@@ -37,7 +37,7 @@ def create
  end
 
  redirect_to(
- url_for(id: @session.id, action: "show"),
+ url_for(id: @session.identifier, action: "show"),
  flash: {notice: I18n.t("passwordless.sessions.create.email_sent")}
  )
  else
@@ -54,7 +54,7 @@ def create
  # Shows the form for confirming a Session record.
  # renders sessions/show.html.erb.
  def show
- @session = find_session
+ @session = passwordless_session
  end
 
  # patch "/:resource/sign_in/:id"
@@ -66,7 +66,7 @@ def show
  # @see ControllerHelpers#sign_in
  # @see ControllerHelpers#save_passwordless_redirect_location!
  def update
- @session = find_session
+ @session = passwordless_session
 
  artificially_slow_down_brute_force_attacks(passwordless_session_params[:token])
 
@@ -86,7 +86,7 @@ def confirm
  # safe. We don't want to sign in the user in that case.
  return head(:ok) if request.head?
 
- @session = find_session
+ @session = passwordless_session
 
  artificially_slow_down_brute_force_attacks(params[:token])
 
@@ -166,10 +166,6 @@ def authenticatable_class
  authenticatable_type.constantize
  end
 
- def find_session
- Session.find_by!(id: params[:id], authenticatable_type: authenticatable_type)
- end
-
  def find_authenticatable
  email = passwordless_session_params[email_field].downcase.strip
 
@@ -201,7 +197,7 @@ def redirect_to_options
 
  def passwordless_session
  @passwordless_session ||= Session.find_by!(
- id: params[:id],
+ identifier: params[:id],
  authenticatable_type: authenticatable_type
  )
  end

diff --git a/app/mailers/passwordless/mailer.rb b/app/mailers/passwordless/mailer.rb
@@ -16,7 +16,7 @@ def sign_in(session, token = nil)
  {
  controller: "passwordless/sessions",
  action: "confirm",
- id: session.id,
+ id: session.identifier,
  token: token,
  authenticatable: "user",
  resource: "users"

diff --git a/app/models/passwordless/session.rb b/app/models/passwordless/session.rb
@@ -61,13 +61,18 @@ def available?
  !expired?
  end
 
+ def to_param
+ identifier
+ end
+
  private
 
  def token_digest_available?(token_digest)
  Session.available.where(token_digest: token_digest).none?
  end
 
  def set_defaults
+ self.identifier = SecureRandom.uuid
  self.expires_at ||= Passwordless.config.expires_at.call
  self.timeout_at ||= Passwordless.config.timeout_at.call
 

diff --git a/db/migrate/20171104221735_create_passwordless_sessions.rb b/db/migrate/20171104221735_create_passwordless_sessions.rb
@@ -13,6 +13,7 @@ def change
  t.datetime(:expires_at, null: false)
  t.datetime(:claimed_at)
  t.string(:token_digest, null: false)
+ t.string(:identifier, null: false, index: {unique: true}, length: 36)
 
  t.timestamps
  end

diff --git a/docs/upgrading_to_1_0.md b/docs/upgrading_to_1_0.md
@@ -20,7 +20,7 @@ $ bin/rails g migration UpgradePassswordless
 ```
 
 ```ruby
-class UpgradePassswordless < ActiveRecord::Migration[7.0]
+class UpgradePasswordless < ActiveRecord::Migration[7.0]
  def change
  # Encrypted tokens
  add_column(:passwordless_sessions, :token_digest, :string)

diff --git a/test/controllers/passwordless/sessions_controller_test.rb b/test/controllers/passwordless/sessions_controller_test.rb
@@ -28,7 +28,7 @@ def create_pwless_session(attrs = {})
  assert_equal 1, ActionMailer::Base.deliveries.size
 
  follow_redirect!
- assert_equal "/users/sign_in/#{Session.last!.id}", path
+ assert_equal "/users/sign_in/#{Session.last!.identifier}", path
  end
 
  test("POST /:passwordless_for/sign_in -> SUCCESS / malformed email") do
@@ -40,7 +40,7 @@ def create_pwless_session(attrs = {})
  assert_equal 1, ActionMailer::Base.deliveries.size
 
  follow_redirect!
- assert_equal "/users/sign_in/#{Session.last!.id}", path
+ assert_equal "/users/sign_in/#{Session.last!.identifier}", path
  end
 
  test("POST /:passwordless_for/sign_in -> SUCCESS / custom delivery method") do
@@ -111,7 +111,7 @@ class << User
  test("GET /:passwordless_for/sign_in/:id") do
  passwordless_session = create_pwless_session
 
- get("/users/sign_in/#{passwordless_session.id}")
+ get("/users/sign_in/#{passwordless_session.identifier}")
 
  assert_equal 200, status
  assert_equal "/users/sign_in/#{passwordless_session.to_param}", path
@@ -121,7 +121,7 @@ class << User
  test("PATCH /:passwordless_for/sign_in/:id -> SUCCESS") do
  passwordless_session = create_pwless_session(token: "hi")
 
- patch("/users/sign_in/#{passwordless_session.id}", params: {passwordless: {token: "hi"}})
+ patch("/users/sign_in/#{passwordless_session.identifier}", params: {passwordless: {token: "hi"}})
 
  assert_equal 303, status
 
@@ -135,7 +135,7 @@ class << User
  test("PATCH /:passwordless_for/sign_in/:id -> ERROR") do
  passwordless_session = create_pwless_session(token: "hi")
 
- patch("/users/sign_in/#{passwordless_session.id}", params: {passwordless: {token: "no"}})
+ patch("/users/sign_in/#{passwordless_session.identifier}", params: {passwordless: {token: "no"}})
 
  assert_equal 403, status
  assert_equal "/users/sign_in/#{passwordless_session.to_param}", path
@@ -150,7 +150,7 @@ class << User
 
  with_config(restrict_token_reuse: true) do
  patch(
- "/users/sign_in/#{passwordless_session.id}",
+ "/users/sign_in/#{passwordless_session.identifier}",
  params: {passwordless: {token: "hi"}}
  )
  end
@@ -170,7 +170,7 @@ class << User
  passwordless_session.update!(timeout_at: Time.current - 1.day)
 
  patch(
- "/users/sign_in/#{passwordless_session.id}",
+ "/users/sign_in/#{passwordless_session.identifier}",
  params: {passwordless: {token: "hi"}}
  )
 
@@ -188,7 +188,7 @@ class << User
  user = User.create(email: "a@a")
  passwordless_session = create_pwless_session(authenticatable: user, token: "hi")
 
- get "/users/sign_in/#{passwordless_session.id}/#{passwordless_session.token}"
+ get "/users/sign_in/#{passwordless_session.identifier}/#{passwordless_session.token}"
  assert_not_nil pwless_session(User)
 
  get "/users/sign_out"

diff --git a/test/dummy/config/environments/test.rb b/test/dummy/config/environments/test.rb
@@ -28,7 +28,7 @@
  config.cache_store = :null_store
 
  # Raise exceptions instead of rendering exception templates.
- config.action_dispatch.show_exceptions = false
+ config.action_dispatch.show_exceptions = :internal
 
  # Disable request forgery protection in test environment.
  config.action_controller.allow_forgery_protection = false

diff --git a/test/dummy/db/schema.rb b/test/dummy/db/schema.rb
@@ -18,9 +18,11 @@
  t.datetime "expires_at", precision: nil, null: false
  t.datetime "claimed_at", precision: nil
  t.string "token_digest", null: false
+ t.string "identifier", null: false
  t.datetime "created_at", precision: nil, null: false
  t.datetime "updated_at", precision: nil, null: false
  t.index ["authenticatable_type", "authenticatable_id"], name: "authenticatable"
+ t.index ["identifier"], name: "index_passwordless_sessions_on_identifier", unique: true
  end
 
  create_table "users", force: :cascade do |t|

diff --git a/test/fixtures/passwordless/sessions.yml b/test/fixtures/passwordless/sessions.yml
@@ -1,16 +1,19 @@
 # Read about fixtures at http:https://api.rubyonrails.org/classes/ActiveRecord/FixtureSet.html
 
 one:
+ identifier: 381a283e-4e64-4989-8b10-d5279bb7f338
  timeout_at: 2017-11-04 23:17:35
  expires_at: 2017-11-04 23:17:35
  token_digest: MyString
 
 two:
+ identifier: cb756ce8-62a0-4ac1-9cb2-7abce7eddf80
  timeout_at: 2017-11-04 23:17:35
  expires_at: 2017-11-04 23:17:35
  token_digest: MyString
 
 john:
+ identifier: 3d14ed2c-4eaa-4894-82fb-e2e6f92223e6
  timeout_at: 2017-11-04 23:17:35
  expires_at: 2017-11-04 23:17:35
  token_digest: 3veDCdFw4VedgZtZZkCJ7um7rsc2bFNCZGB51Iih024

diff --git a/test/integration/authentication_flow_test.rb b/test/integration/authentication_flow_test.rb
@@ -28,7 +28,7 @@ class AuthenticationFlowTest < ActionDispatch::SystemTestCase
 
  email = ActionMailer::Base.deliveries.last
  assert_equal alice.email, email.to.first
- token = email.body.match(%r{/sign_in/\d+/([\w\-_]+)})[1]
+ token = email.body.match(%r{http:https://.*/sign_in/[A-Za-z0-9\-]+/(\w+)})[1]
 
  fill_in "passwordless[token]", with: token
  click_button "Confirm"
@@ -52,7 +52,7 @@ class AuthenticationFlowTest < ActionDispatch::SystemTestCase
 
  email = ActionMailer::Base.deliveries.last
  assert_equal alice.email, email.to.first
- magic_link = email.body.to_s.scan(%r{http:https://.*/sign_in/\d+/\w+}).at(0)
+ magic_link = email.body.to_s.scan(%r{http:https://.*/sign_in/[a-z0-9\-]+/\w+}).at(0)
 
  visit magic_link
 

diff --git a/test/mailers/passwordless/mailer_test.rb b/test/mailers/passwordless/mailer_test.rb
@@ -11,6 +11,6 @@ class Passwordless::MailerTest < ActionMailer::TestCase
 
  assert_match "Signing in ✨", email.subject
  assert_match /sign in: hello\n/, email.body.to_s
- assert_match %r{/sign_in/#{session.id}/hello}, email.body.to_s
+ assert_match %r{/sign_in/#{session.identifier}/hello}, email.body.to_s
  end
 end