Ash Framework•4mo ago

session_identifier compilation on AshAuthentication update

When updating AshAuthenticationPhoenix for the security advisory, I also updated AshAuthentication, and that also produces a compile-time error, which is not mentioned in the advisory.

    ** (Spark.Error.DslError) authentication -> session_identifier:
  Must set `authentication.session_identifier` to either `:jti` or `:unsafe`.

If you are seeing this error while upgrading ash_authentication, be aware that
updating this setting will log out all of your users.

When set to `:unsafe`, tokens are not revoked when the user logs out.
When set to `:jti`, we use this information to revoke tokens on logout.

    ** (Spark.Error.DslError) authentication -> session_identifier:
  Must set `authentication.session_identifier` to either `:jti` or `:unsafe`.

If you are seeing this error while upgrading ash_authentication, be aware that
updating this setting will log out all of your users.

When set to `:unsafe`, tokens are not revoked when the user logs out.
When set to `:jti`, we use this information to revoke tokens on logout.

Does this just go in the top level of the authentication do block? i.e.

  authentication do
    session_identifier :jti
    strategies do
      password :password do
        identity_field :email
        hashed_password_field :hashed_password
      end
    end
  end

  authentication do
    session_identifier :jti
    strategies do
      password :password do
        identity_field :email
        hashed_password_field :hashed_password
      end
    end
  end

Solution:

the preferred solution would be to turn on require_token_presence_for_authentication? true

Jump to solution

13 Replies

ZachDaniel•4mo ago

I will update the advisory to explain this one and I will update that error message

Solution

ZachDaniel•4mo ago

the preferred solution would be to turn on require_token_presence_for_authentication? true

ZachDaniel•4mo ago

Which essentially involves doing full server-side session management. But if you have a reason not to enable that, then yes you'd add session_identifier :jti into the authentication do block The CVE now explains this, as does the error

Flavio•3mo ago

Hey Zach! I just came across this and tried the preferred solution, but it's breaking half of my test suite, lol.

ZachDaniel•3mo ago

IIRC there is a thread here talking about this somewhere as well

Flavio•3mo ago

session_identifier :jti seems to work fine. Just to confirm: I tried putting require_token_presence_for_authentication? true inside the following block:

  authentication do
    tokens do
      enabled? true
      # ....
      require_token_presence_for_authentication? true

  authentication do
    tokens do
      enabled? true
      # ....
      require_token_presence_for_authentication? true

I'll try to find it.

ZachDaniel•3mo ago

in general tho, you gotta share error messages etc.

Flavio•3mo ago

I don't have a lot of details yet. All I'm seeing is forbidden errors across pretty much all GraphQL operations, e.g.

{
  "data": {
    "getOrdersList": null
  },
  "errors": [
    {
      "code": "forbidden",
      "message": "forbidden",
      "path": [
        "getOrdersList"
      ],
      "fields": [],
      "vars": {},
      "short_message": "forbidden",
      "locations": [
        {
          "line": 46,
          "column": 3
        }
      ]
    }
  ]
}

{
  "data": {
    "getOrdersList": null
  },
  "errors": [
    {
      "code": "forbidden",
      "message": "forbidden",
      "path": [
        "getOrdersList"
      ],
      "fields": [],
      "vars": {},
      "short_message": "forbidden",
      "locations": [
        {
          "line": 46,
          "column": 3
        }
      ]
    }
  ]
}

With a valid bearer token for an admin user that should be able to run this operation. With session_identifier :jti in the code instead of require_token_presence_for_authentication? true, things work fine.

ZachDaniel•3mo ago

Do you have any policies on your token resource? like the bypass that allows ash authentication to do anything it wants for tokens?

Flavio•3mo ago

Here are my policies in the Token resource:

  policies do
    bypass AshAuthentication.Checks.AshAuthenticationInteraction do
      description "AshAuthentication can interact with the token resource"
      authorize_if always()
    end

    policy always() do
      description "No one aside from AshAuthentication can interact with the tokens resource."
      forbid_if always()
    end
  end

  policies do
    bypass AshAuthentication.Checks.AshAuthenticationInteraction do
      description "AshAuthentication can interact with the token resource"
      authorize_if always()
    end

    policy always() do
      description "No one aside from AshAuthentication can interact with the tokens resource."
      forbid_if always()
    end
  end

BTW should I move this discussion somewhere else?

ZachDaniel•3mo ago

Ah Your test to create a user probably aren't inserting a token or something along those lines Maybe make a new question but I forget what the solution was, and its documented somewhere in one of these support threads

Flavio•3mo ago

OK, I'll do more research tomorrow and if I still can't find it, I'll make a new question. Thanks and sorry for hijacking this thread!

ZachDaniel•3mo ago

No problem

Gaming

Programming

session_identifier compilation on AshAuthentication update

Did you find this page helpful?