Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[TASK] Clean up stored auth tokens #628

Open
5 tasks done
shurwit opened this issue Jan 4, 2023 · 0 comments · May be fixed by #627
Open
5 tasks done

[TASK] Clean up stored auth tokens #628

shurwit opened this issue Jan 4, 2023 · 0 comments · May be fixed by #627
Assignees
@roberlander2
Labels
enhancement New feature or request security Security issue

Comments

@shurwit
Copy link
Collaborator

shurwit commented Jan 4, 2023

Description

Currently we store several auth tokens in the database. While this is not inherently a security risk, it would be safer to avoid storing these tokens directly when at all possible.

Acceptance Criteria

  • Hash refresh tokens in database, prefix refresh tokens sent to client with <session-id>:
    • Cache login session IDs and implement rate limit to prevent DOS (delete login session if suspicious behavior is detected)
  • Do not print valid refresh tokens to logs
  • Remove access token from login session in database
  • Encrypt OIDC token data in login session using auth private key
@shurwit shurwit linked a pull request Jan 4, 2023 that will close this issue
Open
18 tasks
roberlander2 added a commit that referenced this issue Jan 5, 2023
@roberlander2
use AES encryption in GCM mode instead of CBC, store nonce in session…
e18d761 
… params [#628]
roberlander2 added a commit that referenced this issue Jan 5, 2023
@roberlander2
update usage of global configs, will probably update to be used more …
f28fb3a 
…like bb template configs [#628]
roberlander2 added a commit that referenced this issue Jan 7, 2023
@roberlander2
start refactoring GlobalConfig into Config [#628]
26de1bc
roberlander2 added a commit that referenced this issue Jan 9, 2023
@roberlander2
finish global_configs -> configs refactor, bug fixes [#628]
b37649d
@shurwit shurwit added enhancement New feature or request security Security issue labels Jan 23, 2023
roberlander2 added a commit that referenced this issue Feb 6, 2023
@roberlander2
complete admin configs APIs [#628]
775b914
shurwit added a commit that referenced this issue Jun 28, 2023
@roberlander2 @shurwit
[#632] Enable CORS (#634)
7b2bbfa 
* update logging library to v2

* revert testing changes [#624]

* upgrade core-auth-library-go to v2.1.0, add empty enc APIs policy [#624]

* remove individual web auth entities, use claimsCheck functions

* upgrade auth-lib and logging-lib versions [#624]

* clean up unnecessary schema files, upgrade dependencies, trouble with openapi3 example validation [#624]

* downgrade openapi to 0.110.0, remove more unnecessary schemas [#624]

* update error messages with new logutils strings [#624]

* update swagger docs to only use yaml syntax [#624]

* update changelog

* fix typo

* logging adjustments, fix comment

* bug fixes

* do not store access tokens in DB, encrypt oidc tokens in login session params

* return raw oidc tokens in login, refresh responses, only store encrypted refresh token, add decryption function

* remove whitespace from decrypted refresh tokens

* store hashed refresh tokens, prefix refresh tokens with session ID, remove some refresh token logging

* first implementation of session ID rate limit

* delete login session on rate limit hit

* add allow legacy refresh flag to env vars, don't send oidc refresh tokens to client

* update login and refresh response docs

* limit block size in pkcs7 padding

* limit ciphertext size

* don't allow negative ciphertext size

* fix padded ciphertext length

* use AES encryption in GCM mode instead of CBC, store nonce in session params [#628]

* update usage of global configs, will probably update to be used more like bb template configs [#628]

* start refactoring GlobalConfig into Config [#628]

* add new files

* finish global_configs -> configs refactor, bug fixes [#628]

* handle backward compatibility

* use Log.SendHTTPResponse

* setup CORS handler in web adapter

* update go mod

* fix go mod

* update changelog

* update config data type [#632]

* gen mocks

* fix configs, docs

* fix admin update config API [#632]

* fix changelog, merge changes from develop

* update configs APIs [#632]

* bug fixes

* do not setup cors if there are no allowed origins [#632]

* move storage out of web package, upgrade dependencies

---------

Co-authored-by: Stephen Hurwit <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@roberlander2 roberlander2

Labels
enhancement New feature or request security Security issue
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

[#628] Clean up stored auth tokens rokwire/core-building-block
2 participants
@shurwit @roberlander2