Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add auth refresh token #727

Merged
merged 5 commits into from
Sep 1, 2024
Merged

Add auth refresh token #727

merged 5 commits into from
Sep 1, 2024

Conversation

carlgieringer
Copy link
Contributor

@carlgieringer carlgieringer commented Aug 31, 2024
edited
Loading

Things to test:

  • Registration
  • Password reset
  • Expired auth reset token redirects to login

@carlgieringer
Add authRefreshToken cookie
d4e06b4 
Signed-off-by: Carl Gieringer <78054+carlgieringer@users.noreply.github.com>
@carlgieringer carlgieringer force-pushed the features/add-auth-refresh-token branch from 078b131 to d4e06b4 Compare August 31, 2024 22:25
@carlgieringer
Fix checks
e9fa2a9 
Signed-off-by: Carl Gieringer <78054+carlgieringer@users.noreply.github.com>
github-advanced-security[bot]
github-advanced-security bot found potential problems Aug 31, 2024
View reviewed changes
howdju-common/lib/standaloneAjv.js Fixed Show fixed Hide fixed
howdju-common/lib/standaloneAjv.js Fixed Show fixed Hide fixed
howdju-common/lib/standaloneAjv.js Fixed Show fixed Hide fixed
howdju-common/lib/standaloneAjv.js Fixed Show fixed Hide fixed
howdju-common/lib/standaloneAjv.js Fixed Show fixed Hide fixed
howdju-common/lib/standaloneAjv.js Fixed Show fixed Hide fixed
howdju-common/lib/standaloneAjv.js Fixed Show fixed Hide fixed
howdju-common/lib/standaloneAjv.js Fixed Show fixed Hide fixed
howdju-common/lib/standaloneAjv.js Fixed Show fixed Hide fixed
howdju-common/lib/standaloneAjv.js Fixed Show fixed Hide fixed
@github-actions GitHub Actions
Copy link

github-actions bot commented Aug 31, 2024
edited
Loading

Changed-files coverage summary


=============================== Coverage summary ===============================
Statements   : 41.05% ( 1327/3233 )
Branches     : 25.24% ( 414/1640 )
Functions    : 45.69% ( 318/696 )
Lines        : 48.39% ( 1235/2552 )
================================================================================

@carlgieringer
Ignore standaloneAjv for CodeQL
3421d0a 
Signed-off-by: Carl Gieringer <78054+carlgieringer@users.noreply.github.com>
@carlgieringer
PR edits
9afbcb2 
Signed-off-by: Carl Gieringer <78054+carlgieringer@users.noreply.github.com>
@carlgieringer
Handle auth refresh token expiration
2482323 
Signed-off-by: Carl Gieringer <78054+carlgieringer@users.noreply.github.com>
@carlgieringer carlgieringer force-pushed the features/add-auth-refresh-token branch from baa588f to 2482323 Compare September 1, 2024 23:07
@carlgieringer carlgieringer merged commit a95df32 into master Sep 1, 2024
5 checks passed
@carlgieringer carlgieringer deleted the features/add-auth-refresh-token branch September 1, 2024 23:20
@carlgieringer carlgieringer added the requires schema release PRs that must update the database schema label Sep 2, 2024
@carlgieringer
Copy link
Contributor Author

carlgieringer commented Sep 2, 2024
edited
Loading

This PR addressed a security vulnerability where Howdju's authToken was persisted in browser localStorage, making it vulnerable to XSS. The new system uses an authRefreshToken, persisted as a secure http-only cookie, and protects the authToken from XSS: stored in-memory only and never accessible via a global JS object.

The authRefreshToken is only recognized by the GET auth-refresh endpoint, which returns an authToken. This makes the authRefreshToken safe against CSRF since no endpoint recognizing it has side effects.

Some background on this approach is here.

@carlgieringer
Copy link
Contributor Author

The changes to PasswordResetService fix password resets. The link includes in these emails previously was not URL-encoded, and so often would not be recognized by the server.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
requires schema release PRs that must update the database schema
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@carlgieringer