Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Remove token on validation #126

Merged
merged 5 commits into from
Jan 7, 2021
Merged

Remove token on validation #126

merged 5 commits into from
Jan 7, 2021

Conversation

akrabat
Copy link
Member

@akrabat akrabat commented Jan 4, 2021

Ensure token is removed in persisent mode on validation

When the token is successfully validated and we are not in persistent mode, then we need to remove the token. This is a separate operation to handling failure.

The side-effect of the previous code is that is allowed a replay attack where the same token could be used multiple times even when persisent mode was disabled.

Thanks to @xhlika for the report.

akrabat added 2 commits January 4, 2021 13:19
@akrabat
Rewrite testTokenIsRemovedFromStorageWhenPersistentModeIsOff
9e405ab 
When persistent mode is off, then the token should be removed from the
storage when it has been validated. This test did not do this, but does
do now.
@akrabat
Ensure token is removed in persisent mode on validation
caaae6f 
When the token is successfully validated and we are not in persistent
mode, then we need to remove the token. This is a separate operation to
handling failure.

The side-effect of the previous code is that is allowed a replay attack
where the same token could be used multiple times even when persisent
mode was disabled.

Thanks to Xhelal Likaj (https://github.com/xhlika) for the report.
@akrabat akrabat added this to the 1.1.0 milestone Jan 4, 2021
@akrabat akrabat requested a review from l0gicgate January 4, 2021 13:25
@akrabat akrabat force-pushed the remove-token-on-validation branch from 3061678 to 009a4bd Compare January 4, 2021 13:36
@akrabat akrabat mentioned this pull request Jan 4, 2021
Merged
l0gicgate
l0gicgate requested changes Jan 4, 2021
View reviewed changes
tests/GuardTest.php Outdated Show resolved Hide resolved
.travis.yml Outdated Show resolved Hide resolved
@akrabat
Add xdebug.mode setting for xdebug 3
6e50dd9 
This is required for PHP7.3+ as our phpunit.xml.dist automatically
creates coverage.
@akrabat akrabat force-pushed the remove-token-on-validation branch 2 times, most recently from a98443c to e2d11fb Compare January 5, 2021 10:12
@akrabat akrabat force-pushed the remove-token-on-validation branch from e2d11fb to 9fe81ac Compare January 5, 2021 10:56
l0gicgate
l0gicgate requested changes Jan 6, 2021
View reviewed changes
tests/GuardTest.php Outdated Show resolved Hide resolved
tests/GuardTest.php Show resolved Hide resolved
@l0gicgate l0gicgate merged commit d641663 into slimphp:master Jan 7, 2021
@akrabat akrabat deleted the remove-token-on-validation branch January 7, 2021 09:59
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@l0gicgate l0gicgate l0gicgate approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
1.1.0
Development

Successfully merging this pull request may close these issues.
2 participants
@akrabat @l0gicgate