Insecure Functionality - Session Management - Elixir

Insecure Functionality - Session Management - Elixir

Need

Prevent reuse of expired session tokens to ensure session integrity

Context

  • Usage of Elixir 1.12 for building scalable and concurrent applications
  • Usage of Phoenix Framework 1.6 for web development
  • Usage of Guardian library for authentication and authorization

Description

Non compliant code

        defmodule MyAppWeb.Endpoint do
  use Guardian.Plug.VerifyHeader, realm: "Bearer"
  def call(conn, _) do
    case Guardian.Plug.current_token(conn) do
      nil -> conn
      token ->
        if MyApp.Auth.Token.is_expired?(token) do
          MyApp.Auth.Token.extend_expiration(token)
        end
        conn
    end
  end
end
        
        

This example depicts an API endpoint in a Phoenix application that authenticates the user using JWT tokens generated with the Guardian library. The problem lies in the token validation mechanism, where the code checks the token's expiration date against the current time but does not verify if the token itself is expired.

Steps

  • Remove the token extension functionality
  • Ensure that expired tokens cannot be reused

Compliant code

        defmodule MyAppWeb.Endpoint do
  use Guardian.Plug.VerifyHeader, realm: "Bearer"
  def call(conn, _) do
    case Guardian.Plug.current_token(conn) do
      nil -> conn
      token ->
        if MyApp.Auth.Token.is_expired?(token) do
          conn
          |> put_status(:unauthorized)
          |> Phoenix.Controller.json(%{error: "Expired token"})
          |> halt()
        end
        conn
    end
  end
end
        
        

In the fixed code, the token extension functionality has been removed. Therefore, once a token has expired, it can no longer be used, ensuring the integrity of the session.

References