Mentorship-backend: Bug: Valid Refresh Tokens despite user changing password

Created on 28 Sep 2020  路  16Comments  路  Source: anitab-org/mentorship-backend

Describe the bug


Refresh Tokens are still valid even after the user changes passwords.
To Reproduce

Steps to reproduce the behavior:

  1. Login and save the refresh token you get.
  2. Change password
  3. Scroll down to Refresh endpoint and use the old Refresh token.
  4. See error

Expected behavior

Refresh Tokens should not be valid after a user changes passwords.

Additional context

This can be done by using the users hashed password as the secret for the refresh tokens.

Coding Bug

All 16 comments

I don't know whether it is the case. Will verify today. Thanks @epicadk for opening this

@devkapilbansal if you can verify this, it would be amazing.

@epicadk can you please add more information to the ticket, for example how to reproduce this bug you found, so that whoever works on it, can have an example to follow. Also if you have any idea of a potential solution, even if its not the one being implemented, please put it in the alternatives :)

@devkapilbansal if you can verify this, it would be amazing.

@epicadk can you please add more information to the ticket, for example how to reproduce this bug you found, so that whoever works on it, can have an example to follow. Also if you have any idea of a potential solution, even if its not the one being implemented, please put it in the alternatives :)

@isabelcosta done . @devkapilbansal I have added steps to reproduce the issues please let me know if I should elaborate any further.

Valid Issue :heavy_check_mark:

Thanks @epicadk to point out this security bug

Tested locally and able to get new access token using old refresh token that should not happen

TLDR

  • Changing Password Screenshot
    change_password

  • Successful Refresh
    successful_refresh

Access token generated is also valid and can be used after refresh.

Also, I noticed that in the refresh endpoint it should mention refresh token instead of access token here

refresher

Therefore, opening an issue for this too

@isabelcosta @vj-codes @rpattath please label this issue

thank you for such a thorough test and showing the output here 馃檶 @devkapilbansal

@devkapilbansal can you link up the issue here, in case you already created it?

@devkapilbansal can you link up the issue here, in case you already created it?

The issue is #932

@isabelcosta @devkapilbansal Can I please get assigned as no one is working on this issue?
Thanks

@tichnas consider asking it on zulip. You can work on this as soon as you are assigned to it

Assigned @tichnas

Thanks a lot @gaurivn

You're welcome

@isabelcosta an update working on the doc right now as discussed in the Mentorship system open session. Sorry it's taking so long.

Thank you for the update! That's ok @epicadk :)

Was this page helpful?
0 / 5 - 0 ratings