Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Prevent strategy from running when the current path matches a dispatc… #60

Conversation

k-p-jones
Copy link
Contributor

@k-p-jones k-p-jones commented Dec 11, 2024

Summary

As mentioned in the following issue waiting-for-dev/devise-jwt#274, it is possible for a client to hit the sign in endpoint of an app with a valid token and obtain a fresh one, which would allow an attacker to infinitely extend the period of time they have access after stealing a token, without having to provide valid credentials.

This PR attempts to address that issue by preventing the strategy from running if our current path matches any of the token dispatch request paths. Presumably the desired behaviour here is for the request to carry on cascading through the strategy chain until it either passes or fails authentication. This means that if a client provides correct credentials and a token, it will fall through and still grant them a new one via the after_set_user hook.

I'm unsure if this warrants a readme update, please let me know if it does.

Checklist

Check out our PR guidelines for more details.

The following are mandatory for all PRs:

  • I have written a thorough PR description.
  • I have kept my commits small and atomic.
  • I have used clear, explanatory commit messages.

The following are not always needed (cross them out if they are not):

  • I have added automated tests to cover my changes.
  • I have attached screenshots to demo visual changes.
  • I have opened a PR to update the guides.
  • I have updated the README to account for my changes.

Copy link
Owner

@waiting-for-dev waiting-for-dev left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks!! I think that's the best approach we can follow. Probably no need to update the Readme. Leaving to minor comments.

Comment on lines 13 to 15
return false if path_is_dispatch_request_path?

token_exists? && issuer_claim_valid?
Copy link
Owner

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
return false if path_is_dispatch_request_path?
token_exists? && issuer_claim_valid?
token_exists? && issuer_claim_valid? && !path_is_dispatch_request_path?

We can keep it as a one-liner. WDYT?

Comment on lines 32 to 36
def path_is_dispatch_request_path?
current_path = EnvHelper.path_info(env)
dispatch_requests.any? do |tuple|
current_path.match(tuple.last)
end
end
Copy link
Owner

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should we also check the request method?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah you're quite right here, if a user visits a dispatch request path via a GET for example, we want the strategy to actually run and indicate to devise that they are already logged in and trigger a redirect without inserting a fresh token into the headers. I will tweak my code so we also check the request method like it is done inside the hooks.

@waiting-for-dev
Copy link
Owner

Also, please, could you rebase it from master? I just enabled GH actions to reenable CI here 🙏

@k-p-jones k-p-jones force-pushed the prevent-strat-from-running-on-dispatch-paths branch from 9763b96 to 52c528c Compare December 15, 2024 19:46
@k-p-jones
Copy link
Contributor Author

@waiting-for-dev thank you for your feedback! I have made the requested changes for you to take a look at and I have also rebased against master.

@k-p-jones
Copy link
Contributor Author

I appear to have upset the linter. I will sort that out later today

@k-p-jones k-p-jones force-pushed the prevent-strat-from-running-on-dispatch-paths branch from 52c528c to f8bd7b9 Compare December 16, 2024 19:43
@k-p-jones
Copy link
Contributor Author

@waiting-for-dev Linting errors should be fixed now

@waiting-for-dev waiting-for-dev merged commit 14052e7 into waiting-for-dev:master Dec 20, 2024
6 checks passed
@waiting-for-dev
Copy link
Owner

Thanks!!

@waiting-for-dev
Copy link
Owner

Available in v0.11.0

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants