Headline
GHSA-qrm9-f75w-hg4c: Ash Authentication has flawed token revocation checking logic in actions generated by `mix ash_authentication.install`
Impact
Applications which have been bootstrapped by the new igniter installer (since AshAuthentication v4.1.0) and who have used the magic link strategy or are manually revoking tokens are affected by revoked tokens being allowed to verify as valid. If you did not use the new installer, then you are absolutely not affected.
Additionally, unless you have implemented any kind of custom token revocation feature in your application (in which case even cursory testing would have uncovered this issue), then you will not be significantly affected. The impact here for users using builtin functionality is that magic link tokens are reusable until they expire instead of being immediately revoked. Magic link tokens are only valid for 10 minutes, so the surface area for abuse is extremely low here.
Patches
The flaw is patched in version 4.4.9. Additionally a compile time warning is shown to users with remediation instructions if they upgrade. 4.4.9 ships with an upgrader, so if you use mix igniter.upgrade ash_authentication the necessary patch will be applied for you. Otherwise you can run the upgrader manually as described in the error message
Example
[warning] Warning while compiling Tunez.Accounts.Token:
The `:jti` and `:token` options to the `:revoked?` action must allow nil values and it must return a `:boolean`.
This was an error in our igniter installer previous to version 4.4.9, which allowed revoked tokens to be reused.
To fix this, run the following command in your shell:
mix ash_authentication.upgrade 4.4.8 4.4.9
Or:
- remove `allow_nil?: false` from these action arguments, and
- ensure that the action returns `:boolean`.
like so:
action :revoked?, :boolean do
description "Returns true if a revocation token is found for the provided token"
argument :token, :string, sensitive?: true
argument :jti, :string, sensitive?: true
run AshAuthentication.TokenResource.IsRevoked
end
Workarounds
Delete the generated :revoked? generic action in your token resource This will cause it to use the one internal to AshAuthentication which has always been correct. Alternatively, manually make the changes described above.
References
See the #ash_authentication channel on the Ash Discord.
Impact
Applications which have been bootstrapped by the new igniter installer (since AshAuthentication v4.1.0) and who have used the magic link strategy or are manually revoking tokens are affected by revoked tokens being allowed to verify as valid. If you did not use the new installer, then you are absolutely not affected.
Additionally, unless you have implemented any kind of custom token revocation feature in your application (in which case even cursory testing would have uncovered this issue), then you will not be significantly affected. The impact here for users using builtin functionality is that magic link tokens are reusable until they expire instead of being immediately revoked. Magic link tokens are only valid for 10 minutes, so the surface area for abuse is extremely low here.
Patches
The flaw is patched in version 4.4.9. Additionally a compile time warning is shown to users with remediation instructions if they upgrade. 4.4.9 ships with an upgrader, so if you use mix igniter.upgrade ash_authentication the necessary patch will be applied for you. Otherwise you can run the upgrader manually as described in the error message
Example
[warning] Warning while compiling Tunez.Accounts.Token:
The `:jti` and `:token` options to the `:revoked?` action must allow nil values and it must return a `:boolean`.
This was an error in our igniter installer previous to version 4.4.9, which allowed revoked tokens to be reused.
To fix this, run the following command in your shell: mix ash_authentication.upgrade 4.4.8 4.4.9
Or:
- remove `allow_nil?: false` from these action arguments, and - ensure that the action returns `:boolean`.
like so: action :revoked?, :boolean do description “Returns true if a revocation token is found for the provided token” argument :token, :string, sensitive?: true argument :jti, :string, sensitive?: true
run AshAuthentication.TokenResource.IsRevoked
end
Workarounds
Delete the generated :revoked? generic action in your token resource This will cause it to use the one internal to AshAuthentication which has always been correct. Alternatively, manually make the changes described above.
References
See the #ash_authentication channel on the Ash Discord.
References
- GHSA-qrm9-f75w-hg4c
- team-alembic/ash_authentication@2dee552