Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[3.x] Ensure device has not been logged out #467

Merged
merged 30 commits into from
Aug 30, 2023
Merged

[3.x] Ensure device has not been logged out #467

merged 30 commits into from
Aug 30, 2023

Conversation

crynobone
Copy link
Member

Continue from #461

crynobone and others added 4 commits August 22, 2023 15:48
@crynobone
wip
2a74778 
Signed-off-by: Mior Muhammad Zaki <crynobone@gmail.com>
@patrickomeara @crynobone
Ensure device has not been logged out
2d2df47 
This adds a middleware to check that the password has in session is the same as the current users password.

This fixes a security issue where an attacker can keep sending requests to an API using the sanctum auth after the password has been changed.

Signed-off-by: Mior Muhammad Zaki <crynobone@gmail.com>
@crynobone
wip
b3b0486 
Signed-off-by: Mior Muhammad Zaki <crynobone@gmail.com>
@crynobone
wip
fbf7b54 
Signed-off-by: Mior Muhammad Zaki <crynobone@gmail.com>
@crynobone crynobone mentioned this pull request Aug 22, 2023
Closed
crynobone and others added 4 commits August 22, 2023 16:01
@crynobone
wip
66c0a50 
Signed-off-by: Mior Muhammad Zaki <crynobone@gmail.com>
@StyleCIBot
Apply fixes from StyleCI
a6b9d9b
@crynobone
Merge branch '3.x' into patch-2
755e63d
@crynobone
wip
a9bab0c 
Signed-off-by: Mior Muhammad Zaki <crynobone@gmail.com>
patrickomeara
patrickomeara reviewed Aug 23, 2023
View reviewed changes
Copy link
Contributor

@patrickomeara patrickomeara left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hi @crynobone

This solution will log out the current sanctum session, when the password is changed via a sanctum guarded request.

See below recording.

Screen.Recording.2023-08-23.at.11.16.43.mov

There are two reasons.

  • The password hash isn't saved after it is changed like it is when using AuthenticateSession
  • Sanctum requests change default guard from web to sanctum after the first check is done.

I have created a new branch on my test repo that uses this pr branch https://github.com/patrickomeara/sanctum-logout-issue/tree/crynobone-solution

Details below.

src/Http/Middleware/EnsureDeviceHasNotBeenLoggedOut.php Outdated Show resolved Hide resolved
src/Http/Middleware/EnsureDeviceHasNotBeenLoggedOut.php Outdated Show resolved Hide resolved
crynobone and others added 10 commits August 23, 2023 09:50
@crynobone @patrickomeara
Update src/Http/Middleware/EnsureDeviceHasNotBeenLoggedOut.php
3b39b70 
Co-authored-by: Patrick O'Meara <pat@maintainly.com>
@crynobone
wip
e85e829 
Signed-off-by: Mior Muhammad Zaki <crynobone@gmail.com>
@crynobone
wip
0961225 
Signed-off-by: Mior Muhammad Zaki <crynobone@gmail.com>
@crynobone
wip
c391204 
Signed-off-by: Mior Muhammad Zaki <crynobone@gmail.com>
@crynobone
wip
6671f7e 
Signed-off-by: Mior Muhammad Zaki <crynobone@gmail.com>
@StyleCIBot
Apply fixes from StyleCI
167f77b
@crynobone
wip
b95b8aa 
Signed-off-by: Mior Muhammad Zaki <crynobone@gmail.com>
@crynobone
Merge remote-tracking branch 'upstream/patch-2' into patch-2
bebf204
@crynobone
wip
d084dd4 
Signed-off-by: Mior Muhammad Zaki <crynobone@gmail.com>
@crynobone
wip
ab1a0ee 
Signed-off-by: Mior Muhammad Zaki <crynobone@gmail.com>
@crynobone
wip
0dd3fdd 
Signed-off-by: Mior Muhammad Zaki <crynobone@gmail.com>
@crynobone
wip
cd30e34 
Signed-off-by: Mior Muhammad Zaki <crynobone@gmail.com>
@crynobone crynobone marked this pull request as ready for review August 23, 2023 04:44
patrickomeara
patrickomeara reviewed Aug 23, 2023
View reviewed changes
Copy link
Contributor

@patrickomeara patrickomeara left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hi @crynobone

Does this recent solution deal with changing the password in a sanctum request and leaving the sanctum session logged in?

tests/Controller/FrontendRequestsAreStatefulTest.php Show resolved Hide resolved
crynobone and others added 3 commits August 23, 2023 13:28
@crynobone @patrickomeara
Apply suggestions from code review
1d933a4 
Co-authored-by: Patrick O'Meara <pat@maintainly.com>
@StyleCIBot
Apply fixes from StyleCI
45815c2
@crynobone
wip
809dda7 
Signed-off-by: Mior Muhammad Zaki <crynobone@gmail.com>
@crynobone
wip
67ce970 
Signed-off-by: Mior Muhammad Zaki <crynobone@gmail.com>
@crynobone
Copy link
Member Author

Does this recent solution deal with changing the password in a sanctum request and leaving the sanctum session logged in?

Fixed

@crynobone
wip
b123047 
Signed-off-by: Mior Muhammad Zaki <crynobone@gmail.com>
@crynobone
wip
1e55335 
Signed-off-by: Mior Muhammad Zaki <crynobone@gmail.com>
crynobone and others added 4 commits August 23, 2023 19:36
@taylorotwell taylorotwell merged commit d64ce69 into 3.x Aug 30, 2023
8 checks passed
@taylorotwell taylorotwell deleted the patch-2 branch August 30, 2023 21:34
@nhedger nhedger mentioned this pull request Nov 22, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@patrickomeara patrickomeara patrickomeara left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@crynobone @patrickomeara @taylorotwell @StyleCIBot