-
Notifications
You must be signed in to change notification settings - Fork 46
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Confirmation token usable only once #618
Comments
I think to make it not reusable after its first use would require using the token storage feature, and the option to require token presence. Then we can have make single use tokens. But @jimsynz should chime in here as its possible there is something I don't know about this implementation/how its meant to be used. |
Seems to be the purpose of the
|
Yep! I was just pointing out that it would leverage that feature set. expiring a token can be done without deleting it actually though so we’d just use the existing expiration tooling. So yeah the option you showed would trigger us to expire the token immediately after use. |
Or maybe just deleting the However, I just notice using a confirmation link of a deleted token in the DB produce an error. |
There are cases for deleting them or marking them as expired, depending on what you want. If you want logs of authentication tokens for things like auditing or showing users session history, that kind of thing, you might want that. But I do think we should have an option when configuring it if tokens should be "expired" or "destroyed". We should make confirming a deleted token have a graceful error though. Then you could technically implement this on your own by adding a change to the confirmation action and deletes the token being used. |
I think that the right approach is to revoke the token after it's been used. I can add a change for this. Does it actually need to be configurable or was it just an mistake on my part? |
I don't think it needs to be configurable. I don't see a reason why you'd want to allow it to be used again. Also,
Seems problematic. Should the token only be usable to confirm and then require re-authentication? Maybe that should be configurable? |
It's up to the user to implement then auth controller/plug in such a way that it signs in the user or not. |
Perhaps our default auth controller example should illustrate that? |
Fixes a potential issue where the confirmation token can be used multiple times, potentially opening a replay attack. Closes #618
I want to use the
AshAuthentication.AddOn.Confirmation
to send an email with a link to validate the ownership of the email by the user. However, the token is still reusable till the end of itstoken_lifetime
. Note using the token gives the user account access, which makes its reusability questionable in terms of security.I suppose
AshAuthentication.AddOn.Confirmation
lack of a:option for this kind of purpose and for security.
FYI, I use the
AshAuthentication.Strategy.Password
in my use case.The text was updated successfully, but these errors were encountered: