Security: Hash session tokens at rest + revoke sessions on ban/kick #78
Labels
No labels
area:api
area:core
area:docs
area:infra
area:ux
dependencies
documentation
duplicate
good first issue
help wanted
invalid
question
rust
status:complete
status:partial
status:planned
type:bug
type:design
type:feature
type:infra
type:refactor
type:refactor
type:research
type:ux
wontfix
No milestone
No project
No assignees
1 participant
Notifications
Due date
No due date set.
Dependencies
No dependencies set.
Reference
icub3d/decentcom#78
Loading…
Add table
Add a link
Reference in a new issue
No description provided.
Delete branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Severity: High — found in code review 2026-07-07. Follow-up to #65 (which did secure token generation but not the below).
Problem
server/src/storage/sqlite/sessions.rs:WHERE token = ?. Any DB read, backup, or log leak yields directly usable bearer tokens. Token entropy is fine (128-bit CSPRNG) — the issue is at-rest storage.ban_member/kick_member(membership/handlers.rs) remove membership/roles but never delete sessions, so a banned user's token keeps working onAuthUser-only routes and on an already-open WebSocket until natural expiry (default 24h).Fix
Acceptance
sessions.tokencolumn holds a hash, not the raw token