Security: Hash session tokens at rest + revoke sessions on ban/kick #78

Closed
opened 2026-07-08 02:40:29 +00:00 by icub3d · 0 comments
Owner

Severity: High — found in code review 2026-07-07. Follow-up to #65 (which did secure token generation but not the below).

Problem

server/src/storage/sqlite/sessions.rs:

  1. Tokens stored in plaintext and matched with WHERE token = ?. Any DB read, backup, or log leak yields directly usable bearer tokens. Token entropy is fine (128-bit CSPRNG) — the issue is at-rest storage.
  2. No revocation on ban/kickban_member/kick_member (membership/handlers.rs) remove membership/roles but never delete sessions, so a banned user's token keeps working on AuthUser-only routes and on an already-open WebSocket until natural expiry (default 24h).

Fix

  • Store only a hash (e.g. SHA-256) of the token; look up by hash.
  • On ban/kick, delete all of the target user's sessions and drop their gateway connections.

Acceptance

  • sessions.token column holds a hash, not the raw token
  • Ban/kick invalidates existing sessions + live WS connections (test)
**Severity: High** — found in code review 2026-07-07. Follow-up to #65 (which did secure token *generation* but not the below). ## Problem `server/src/storage/sqlite/sessions.rs`: 1. **Tokens stored in plaintext** and matched with `WHERE token = ?`. Any DB read, backup, or log leak yields directly usable bearer tokens. Token entropy is fine (128-bit CSPRNG) — the issue is at-rest storage. 2. **No revocation on ban/kick** — `ban_member`/`kick_member` (`membership/handlers.rs`) remove membership/roles but never delete sessions, so a banned user's token keeps working on `AuthUser`-only routes and on an already-open WebSocket until natural expiry (default 24h). ## Fix - [ ] Store only a hash (e.g. SHA-256) of the token; look up by hash. - [ ] On ban/kick, delete all of the target user's sessions and drop their gateway connections. ## Acceptance - [ ] `sessions.token` column holds a hash, not the raw token - [ ] Ban/kick invalidates existing sessions + live WS connections (test)
Sign in to join this conversation.
No milestone
No project
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
icub3d/decentcom#78
No description provided.