Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Security regression in Devise 4: plain text confirmation tokens? #4429

Closed
ttrmw opened this issue Feb 13, 2017 · 5 comments
Closed

Security regression in Devise 4: plain text confirmation tokens? #4429

ttrmw opened this issue Feb 13, 2017 · 5 comments

Comments

@ttrmw
Copy link

ttrmw commented Feb 13, 2017
edited
Loading

Hey,

In Devise 3, confirmation tokens were one-way encrypted:

http://blog.plataformatec.com.br/2013/08/devise-3-1-now-with-more-secure-defaults/

In Devise 4 this appears not to be the case - friendly_token is used in the generate_confirmation_token method instead, which is the same value sent out by the mailer - thus the plaintext token is stored in the db. I can't find anything to explain why this change was made (or even anything documenting that the change happened. No mention in CHANGELOG.MD) , and it seems like a security regression?

Is the best 'solution' to override the generate_confirmation_token method in my resource model?
@ttrmw
Copy link
Author

ttrmw commented Feb 13, 2017

d122faf

eb640ed

Seem to be the relevant commits. Unfortunately the latter doesn't have an explanation of the decision to no longer digest security tokens?

@shimms
Copy link

shimms commented Feb 20, 2017

From the PR (#3661) and issue it addresses (#3640) looks to be considered safe primarily because users aren't authenticated after confirmation anymore, so this doesn't give someone access to an account if the plain text confirmation token is compromised.

Password reset tokens etc are still securely stored in the database.

@ttrmw
Copy link
Author

ttrmw commented Feb 21, 2017
edited
Loading

In my application the user is authenticated on confirmation, so a new account can be compromised if the token leaks. Is this not the correct behaviour for Devise? We may have accidentally broken something 😁

@shimms
Copy link

shimms commented Feb 22, 2017

Yeah since 3.1 the default Devise behaviour is not to log users in after confirmation. The threat vector was if the email was compromised, confirming the account allowed an attacker access to that user's (newly confirmed) account automatically, rather than requiring them to subsequently log in, presumably with a password they don't know.

That being said, if they've got access to email, they can just request a password rest token, and get in that way, so not entirely sure what real problem that solved.

Read more here: http://blog.plataformatec.com.br/2013/08/devise-3-1-now-with-more-secure-defaults/

From the above, you can enable sign in after confirmation by adding:

config.allow_insecure_sign_in_after_confirmation = true

To your devise initializer (which perhaps your app has, or maybe you're using Devise < 3.1?).

@tegon
Copy link
Member

tegon commented Dec 13, 2017

See issue #3640 for more context on why this changed.
Thanks!

@tegon tegon closed this as completed Dec 13, 2017
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@shimms @ttrmw @tegon