Insecure Authentication Method - Basic - Elixir

Insecure Authentication Method - Basic - Elixir

Need

Securely authenticate user requests

Context

  • Usage of Elixir (1.10 and above) for building scalable and fault-tolerant applications
  • Usage of Phoenix Framework for building web applications
  • Usage of Guardian library for JWT authentication

Description

Non compliant code

        def login(conn, %{"username" => username, "password" => password}) do
  user = Repo.get_by(User, username: username)
  if user && Bcrypt.checkpw(password, user.password_hash) do
    {:ok, token, _claims} = BasicAuthToken.encode_and_sign(user.username)
    conn
    |> put_resp_header("authorization", "Basic #{token}")
    |> send_resp(:ok, "Logged in")
  else
    send_resp(conn, :unauthorized, "Incorrect username or password")
  end
end
        
        

In the insecure code example, the server uses Basic Authentication, where the user credentials are Base64-encoded but not encrypted, and transmitted over the network. This can be easily decoded and allows an attacker to intercept the user's credentials.

Steps

  • Implement Bearer authentication using hashed tokens instead of transmitting sensitive user credentials.
  • Use HTTPS for all sensitive communications to prevent the interception of data.
  • Consider other authentication mechanisms like OAuth or JWT for even better security.

Compliant code

        def login(conn, %{"username" => username, "password" => password}) do
  user = Repo.get_by(User, username: username)
  if user && Bcrypt.checkpw(password, user.password_hash) do
    {:ok, jwt, _full_claims} = Guardian.encode_and_sign(user, :token)
    conn
    |> put_resp_header("authorization", "Bearer #{jwt}")
    |> send_resp(:ok, "Logged in")
  else
    send_resp(conn, :unauthorized, "Incorrect username or password")
  end
end
        
        

In the secure code example, the server uses Bearer Authentication with a hashed token. The server generates a JWT token for the authenticated user and returns it in the Authorization header. This ensures the user's sensitive credentials are not transmitted over the network.

References