Insecure Functionality - Session Management - Elixir

Need

Prevent reuse of expired session tokens to ensure session integrity

Context

Usage of Elixir 1.12 for building scalable and concurrent applications
Usage of Phoenix Framework 1.6 for web development
Usage of Guardian library for authentication and authorization

Description

Insecure Code Example

defmodule MyAppWeb.Endpoint do
  use Guardian.Plug.VerifyHeader, realm: "Bearer"
  def call(conn, _) do
    case Guardian.Plug.current_token(conn) do
      nil -> conn
      token ->
        if MyApp.Auth.Token.is_expired?(token) do
          MyApp.Auth.Token.extend_expiration(token)
        end
        conn
    end
  end
end

This example depicts an API endpoint in a Phoenix application that authenticates the user using JWT tokens generated with the Guardian library. The problem lies in the token validation mechanism, where the code checks the token's expiration date against the current time but does not verify if the token itself is expired.

Steps

Remove the token extension functionality
Ensure that expired tokens cannot be reused

Secure Code Example

defmodule MyAppWeb.Endpoint do
  use Guardian.Plug.VerifyHeader, realm: "Bearer"
  def call(conn, _) do
    case Guardian.Plug.current_token(conn) do
      nil -> conn
      token ->
        if MyApp.Auth.Token.is_expired?(token) do
          conn
          |> put_status(:unauthorized)
          |> Phoenix.Controller.json(%{error: "Expired token"})
          |> halt()
        end
        conn
    end
  end
end

In the fixed code, the token extension functionality has been removed. Therefore, once a token has expired, it can no longer be used, ensuring the integrity of the session.

References

302 - Insecure Functionality - Session Management

Last updated

2023/09/18