-
Notifications
You must be signed in to change notification settings - Fork 5.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Security regression in Devise 4: plain text confirmation tokens? #4429
Comments
From the PR (#3661) and issue it addresses (#3640) looks to be considered safe primarily because users aren't authenticated after confirmation anymore, so this doesn't give someone access to an account if the plain text confirmation token is compromised. Password reset tokens etc are still securely stored in the database. |
In my application the user is authenticated on confirmation, so a new account can be compromised if the token leaks. Is this not the correct behaviour for Devise? We may have accidentally broken something 😁 |
Yeah since 3.1 the default Devise behaviour is not to log users in after confirmation. The threat vector was if the email was compromised, confirming the account allowed an attacker access to that user's (newly confirmed) account automatically, rather than requiring them to subsequently log in, presumably with a password they don't know. That being said, if they've got access to email, they can just request a password rest token, and get in that way, so not entirely sure what real problem that solved. Read more here: http://blog.plataformatec.com.br/2013/08/devise-3-1-now-with-more-secure-defaults/ From the above, you can enable sign in after confirmation by adding:
To your devise initializer (which perhaps your app has, or maybe you're using Devise < 3.1?). |
See issue #3640 for more context on why this changed. |
Hey,
In Devise 3, confirmation tokens were one-way encrypted:
http://blog.plataformatec.com.br/2013/08/devise-3-1-now-with-more-secure-defaults/
In Devise 4 this appears not to be the case -
friendly_token
is used in thegenerate_confirmation_token
method instead, which is the same value sent out by the mailer - thus the plaintext token is stored in the db. I can't find anything to explain why this change was made (or even anything documenting that the change happened. No mention inCHANGELOG.MD
) , and it seems like a security regression?Is the best 'solution' to override the generate_confirmation_token method in my resource model?
The text was updated successfully, but these errors were encountered: