Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix: impose expiry on auth code instead of magic link #1440

Merged
merged 4 commits into from
Mar 13, 2024

Conversation

J0
Copy link
Contributor

@J0 J0 commented Feb 19, 2024

What kind of change does this PR introduce?

Currently, we check for flow state expiry rather than auth code expiry. The auth code is created at the point when /magiclink is called and expiry starts from then. However, the auth code should probably start expiring when the link is verified and the auth code is issued.

We can eventually extend this to other magic link like flows if need.

Note that the Flow State expiry is capped at 24 hours, as that is when the regular cleanup takes place. Considered adding a hard restriction on the maximum validity of GOTRUE_MAILER_OTP_EXP but there are a handful of projects which have it >86400.

The handful of existing projects (number on internal channel) with a OTP expiry of longer than 24 hours will continue to have the expiry capped at 24 hours when using PKCE. This should be the same as the current behaviour since we aren't changing the cleanup duration.

internal/api/verify.go Outdated Show resolved Hide resolved
@J0 J0 marked this pull request as ready for review February 21, 2024 07:37
@J0 J0 requested a review from a team as a code owner February 21, 2024 07:37
@J0 J0 changed the title fix: extend duration of auth code for magic links fix: impose expiry on auth code instead of magic link Feb 21, 2024
internal/models/flow_state.go Outdated Show resolved Hide resolved
@J0 J0 requested a review from hf February 21, 2024 11:36
@aboveyunhai
Copy link

just a question regarding the security, if the expiry only trigs after the usage unlike the 5min it has now, does it mean it will never expiry if I never use it? I thought the link behaves like the one time password in terms of the expiry strategy, but it seems like they are different.

@J0
Copy link
Contributor Author

J0 commented Feb 27, 2024

Hey @aboveyunhai,

Thanks for the query - it will still expire but the expiry restriction will be controlled by Mailer OTP Expiry instead of flow state expiry and it will be constant across all link related flows

@J0 J0 marked this pull request as draft March 4, 2024 08:44
@J0 J0 force-pushed the j0/extend_duration_for_magic_links branch from ca03312 to f374f87 Compare March 6, 2024 10:28
@J0 J0 marked this pull request as ready for review March 6, 2024 11:27
@J0 J0 force-pushed the j0/extend_duration_for_magic_links branch from f374f87 to f665e51 Compare March 6, 2024 11:29
internal/models/flow_state.go Outdated Show resolved Hide resolved
internal/models/flow_state.go Outdated Show resolved Hide resolved
@hf hf merged commit 35aeaf1 into master Mar 13, 2024
3 checks passed
@hf hf deleted the j0/extend_duration_for_magic_links branch March 13, 2024 00:20
J0 pushed a commit that referenced this pull request Mar 26, 2024
🤖 I have created a release *beep* *boop*
---


##
[2.145.0](v2.144.0...v2.145.0)
(2024-03-26)


### Features

* add error codes
([#1377](#1377))
([e4beea1](e4beea1))
* add kakao OIDC
([#1381](#1381))
([b5566e7](b5566e7))
* clean up expired factors
([#1371](#1371))
([5c94207](5c94207))
* configurable NameID format for SAML provider
([#1481](#1481))
([ef405d8](ef405d8))
* HTTP Hook - Add custom envconfig decoding for HTTP Hook Secrets
([#1467](#1467))
([5b24c4e](5b24c4e))
* refactor PKCE FlowState to reduce duplicate code
([#1446](#1446))
([b8d0337](b8d0337))


### Bug Fixes

* add http support for https hooks on localhost
([#1484](#1484))
([5c04104](5c04104))
* cleanup panics due to bad inactivity timeout code
([#1471](#1471))
([548edf8](548edf8))
* **docs:** remove bracket on file name for broken link
([#1493](#1493))
([96f7a68](96f7a68))
* impose expiry on auth code instead of magic link
([#1440](#1440))
([35aeaf1](35aeaf1))
* invalidate email, phone OTPs on password change
([#1489](#1489))
([960a4f9](960a4f9))
* move creation of flow state into function
([#1470](#1470))
([4392a08](4392a08))
* prevent user email side-channel leak on verify
([#1472](#1472))
([311cde8](311cde8))
* refactor email sending functions
([#1495](#1495))
([285c290](285c290))
* refactor factor_test to centralize setup
([#1473](#1473))
([c86007e](c86007e))
* refactor mfa challenge and tests
([#1469](#1469))
([6c76f21](6c76f21))
* Resend SMS when duplicate SMS sign ups are made
([#1490](#1490))
([73240a0](73240a0))
* unlink identity bugs
([#1475](#1475))
([73e8d87](73e8d87))

---
This PR was generated with [Release
Please](https://github.com/googleapis/release-please). See
[documentation](https://github.com/googleapis/release-please#release-please).

Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
uxodb pushed a commit to uxodb/auth that referenced this pull request Nov 13, 2024
## What kind of change does this PR introduce?

Currently, we check for flow state expiry rather than auth code expiry.
The auth code is created at the point when `/magiclink` is called and
expiry starts from then. However, the auth code should probably start
expiring when the link is verified and the auth code is issued.

We can eventually extend this to other magic link like flows if need. 

Note that the Flow State expiry is capped at 24 hours, as that is when
the regular cleanup takes place. Considered adding a hard restriction on
the maximum validity of `GOTRUE_MAILER_OTP_EXP` but there are a handful
of projects which have it >86400.

The handful of existing projects (number on internal channel) with a OTP
expiry of longer than 24 hours will continue to have the expiry capped
at 24 hours when using PKCE. This should be the same as the current
behaviour since we aren't changing the cleanup duration.

---------

Co-authored-by: joel <[email protected]>
uxodb pushed a commit to uxodb/auth that referenced this pull request Nov 13, 2024
🤖 I have created a release *beep* *boop*
---


##
[2.145.0](supabase/auth@v2.144.0...v2.145.0)
(2024-03-26)


### Features

* add error codes
([supabase#1377](supabase#1377))
([e4beea1](supabase@e4beea1))
* add kakao OIDC
([supabase#1381](supabase#1381))
([b5566e7](supabase@b5566e7))
* clean up expired factors
([supabase#1371](supabase#1371))
([5c94207](supabase@5c94207))
* configurable NameID format for SAML provider
([supabase#1481](supabase#1481))
([ef405d8](supabase@ef405d8))
* HTTP Hook - Add custom envconfig decoding for HTTP Hook Secrets
([supabase#1467](supabase#1467))
([5b24c4e](supabase@5b24c4e))
* refactor PKCE FlowState to reduce duplicate code
([supabase#1446](supabase#1446))
([b8d0337](supabase@b8d0337))


### Bug Fixes

* add http support for https hooks on localhost
([supabase#1484](supabase#1484))
([5c04104](supabase@5c04104))
* cleanup panics due to bad inactivity timeout code
([supabase#1471](supabase#1471))
([548edf8](supabase@548edf8))
* **docs:** remove bracket on file name for broken link
([supabase#1493](supabase#1493))
([96f7a68](supabase@96f7a68))
* impose expiry on auth code instead of magic link
([supabase#1440](supabase#1440))
([35aeaf1](supabase@35aeaf1))
* invalidate email, phone OTPs on password change
([supabase#1489](supabase#1489))
([960a4f9](supabase@960a4f9))
* move creation of flow state into function
([supabase#1470](supabase#1470))
([4392a08](supabase@4392a08))
* prevent user email side-channel leak on verify
([supabase#1472](supabase#1472))
([311cde8](supabase@311cde8))
* refactor email sending functions
([supabase#1495](supabase#1495))
([285c290](supabase@285c290))
* refactor factor_test to centralize setup
([supabase#1473](supabase#1473))
([c86007e](supabase@c86007e))
* refactor mfa challenge and tests
([supabase#1469](supabase#1469))
([6c76f21](supabase@6c76f21))
* Resend SMS when duplicate SMS sign ups are made
([supabase#1490](supabase#1490))
([73240a0](supabase@73240a0))
* unlink identity bugs
([supabase#1475](supabase#1475))
([73e8d87](supabase@73e8d87))

---
This PR was generated with [Release
Please](https://github.com/googleapis/release-please). See
[documentation](https://github.com/googleapis/release-please#release-please).

Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
LashaJini pushed a commit to LashaJini/auth that referenced this pull request Nov 13, 2024
## What kind of change does this PR introduce?

Currently, we check for flow state expiry rather than auth code expiry.
The auth code is created at the point when `/magiclink` is called and
expiry starts from then. However, the auth code should probably start
expiring when the link is verified and the auth code is issued.

We can eventually extend this to other magic link like flows if need. 

Note that the Flow State expiry is capped at 24 hours, as that is when
the regular cleanup takes place. Considered adding a hard restriction on
the maximum validity of `GOTRUE_MAILER_OTP_EXP` but there are a handful
of projects which have it >86400.

The handful of existing projects (number on internal channel) with a OTP
expiry of longer than 24 hours will continue to have the expiry capped
at 24 hours when using PKCE. This should be the same as the current
behaviour since we aren't changing the cleanup duration.

---------

Co-authored-by: joel <[email protected]>
LashaJini pushed a commit to LashaJini/auth that referenced this pull request Nov 13, 2024
🤖 I have created a release *beep* *boop*
---


##
[2.145.0](supabase/auth@v2.144.0...v2.145.0)
(2024-03-26)


### Features

* add error codes
([supabase#1377](supabase#1377))
([e4beea1](supabase@e4beea1))
* add kakao OIDC
([supabase#1381](supabase#1381))
([b5566e7](supabase@b5566e7))
* clean up expired factors
([supabase#1371](supabase#1371))
([5c94207](supabase@5c94207))
* configurable NameID format for SAML provider
([supabase#1481](supabase#1481))
([ef405d8](supabase@ef405d8))
* HTTP Hook - Add custom envconfig decoding for HTTP Hook Secrets
([supabase#1467](supabase#1467))
([5b24c4e](supabase@5b24c4e))
* refactor PKCE FlowState to reduce duplicate code
([supabase#1446](supabase#1446))
([b8d0337](supabase@b8d0337))


### Bug Fixes

* add http support for https hooks on localhost
([supabase#1484](supabase#1484))
([5c04104](supabase@5c04104))
* cleanup panics due to bad inactivity timeout code
([supabase#1471](supabase#1471))
([548edf8](supabase@548edf8))
* **docs:** remove bracket on file name for broken link
([supabase#1493](supabase#1493))
([96f7a68](supabase@96f7a68))
* impose expiry on auth code instead of magic link
([supabase#1440](supabase#1440))
([35aeaf1](supabase@35aeaf1))
* invalidate email, phone OTPs on password change
([supabase#1489](supabase#1489))
([960a4f9](supabase@960a4f9))
* move creation of flow state into function
([supabase#1470](supabase#1470))
([4392a08](supabase@4392a08))
* prevent user email side-channel leak on verify
([supabase#1472](supabase#1472))
([311cde8](supabase@311cde8))
* refactor email sending functions
([supabase#1495](supabase#1495))
([285c290](supabase@285c290))
* refactor factor_test to centralize setup
([supabase#1473](supabase#1473))
([c86007e](supabase@c86007e))
* refactor mfa challenge and tests
([supabase#1469](supabase#1469))
([6c76f21](supabase@6c76f21))
* Resend SMS when duplicate SMS sign ups are made
([supabase#1490](supabase#1490))
([73240a0](supabase@73240a0))
* unlink identity bugs
([supabase#1475](supabase#1475))
([73e8d87](supabase@73e8d87))

---
This PR was generated with [Release
Please](https://github.com/googleapis/release-please). See
[documentation](https://github.com/googleapis/release-please#release-please).

Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants