Need

Prevent unauthorized access to protected resources

Context

• Usage of Elixir (1.10 and above) for building scalable and fault-tolerant applications
• Usage of plain maps for user management

Description

Non compliant code

        defmodule User do
  defstruct [:id, :data]
end

user = %User{id: 1, data: 'secret'}

def access_data(user) do
  IO.puts user.data
end
        
        

This Elixir code defines a user system using a struct User, which holds an id and data. The function 'access_data' allows any user to access data without any form of authentication. Therefore, any person can create a user struct and view sensitive data.

Steps

• Introduce a secure authentication process: Implement a login mechanism that requires a username and password to create a user session.
• Ensure critical functionality resources are protected by this authentication process.
• Ensure every request for these resources checks for an active and authenticated user session.

Compliant code

        defmodule User do
  defstruct [:id, :username, :password, :data]
end

user = %User{id: 1, username: 'user1', password: 'pass1', data: 'secret'}

def login(user, username, password) do
  if user.username == username and user.password == password do
    {:ok, user}
  else
    {:error, 'Incorrect username or password.'}
  end
end

def access_data(user, username, password) do
  case login(user, username, password) do
    {:ok, user} -> IO.puts user.data
    _ -> IO.puts 'Access denied.'
  end
end
        
        

The revised code introduces a secure authentication mechanism. The User struct now includes 'username' and 'password' fields. The 'login' function checks these credentials and returns a session if they are correct. The 'access_data' function now requires a successful login before accessing data, effectively preventing unauthorized access.

References

• 006. Authentication mechanism absence or evasion