Business Information Leak - Token - Elixir

Need

Prevent user information from being exposed in session tokens

Context

Usage of Elixir (1.12.0 and above) for building scalable and fault-tolerant applications
Usage of Plug (1.12.1 and above) for building composable web applications in Elixir
Usage of Guardian for authentication and authorization

Description

Non compliant code

        defmodule MyApp.GuardianSerializer do
  @behaviour Guardian.Serializer

  def for_token(user = %User{}), do: { :ok, "User:#{user.id}:#{user.email}:#{user.name}" }
  def from_token("User:" <> id <> ":" <> email <> ":" <> name), do: { :ok, %User{id: id, email: email, name: name} }
end

This code is including the user's email and name in the session token. If an attacker can decode this token, they can obtain the user's email and name.

Steps

Do not include sensitive information like email and name in the session token.
Always sanitize data before including it in a token.

Compliant code

        defmodule MyApp.GuardianSerializer do
  @behaviour Guardian.Serializer

  def for_token(user = %User{}), do: { :ok, "User:#{user.id}" }
  def from_token("User:" <> id), do: { :ok, %User{id: id} }
end

The secure code does not include the user's email and name in the session token, thus protecting sensitive data.

References

220. Business information leak - Token