discourse/app/models/user_auth_token.rb

# frozen_string_literal: true
require 'digest/sha1'

class UserAuthToken < ActiveRecord::Base
  belongs_to :user

  ROTATE_TIME = 10.minutes
  # used when token did not arrive at client
  URGENT_ROTATE_TIME = 1.minute

  attr_accessor :unhashed_auth_token

  def self.log(info)
    if SiteSetting.verbose_auth_token_logging
      UserAuthTokenLog.create!(info)
    end
  end

  def self.generate!(info)
    token = SecureRandom.hex(16)
    hashed_token = hash_token(token)
    user_auth_token = UserAuthToken.create!(
      user_id: info[:user_id],
      user_agent: info[:user_agent],
      client_ip: info[:client_ip],
      auth_token: hashed_token,
      prev_auth_token: hashed_token,
      rotated_at: Time.zone.now
    )
    user_auth_token.unhashed_auth_token = token

    log(action: 'generate',
        user_auth_token_id: user_auth_token.id,
        user_id: info[:user_id],
        user_agent: info[:user_agent],
        client_ip: info[:client_ip],
        path: info[:path],
        auth_token: hashed_token)

    user_auth_token
  end

  def self.lookup(unhashed_token, opts = nil)

    mark_seen = opts && opts[:seen]

    token = hash_token(unhashed_token)
    expire_before = SiteSetting.maximum_session_age.hours.ago

    user_token = find_by("(auth_token = :token OR
                          prev_auth_token = :token OR
                          (auth_token = :unhashed_token AND legacy)) AND rotated_at > :expire_before",
                          token: token, unhashed_token: unhashed_token, expire_before: expire_before)

    if !user_token

      log(action: "miss token",
          user_id: user_token&.user_id,
          auth_token: token,
          user_agent: opts && opts[:user_agent],
          path: opts && opts[:path],
          client_ip: opts && opts[:client_ip])

      return nil
    end

    if user_token.auth_token != token && user_token.prev_auth_token == token && user_token.auth_token_seen
      changed_rows = UserAuthToken
        .where("rotated_at < ?", 1.minute.ago)
        .where(id: user_token.id, prev_auth_token: token)
        .update_all(auth_token_seen: false)

      # not updating AR model cause we want to give it one more req
      # with wrong cookie
      UserAuthToken.log(
        action: changed_rows == 0 ? "prev seen token unchanged" : "prev seen token",
        user_auth_token_id: user_token.id,
        user_id: user_token.user_id,
        auth_token: user_token.auth_token,
        user_agent: opts && opts[:user_agent],
        path: opts && opts[:path],
        client_ip: opts && opts[:client_ip]
      )
    end

    if mark_seen && user_token && !user_token.auth_token_seen && user_token.auth_token == token
      # we must protect against concurrency issues here
      changed_rows = UserAuthToken
        .where(id: user_token.id, auth_token: token)
        .update_all(auth_token_seen: true, seen_at: Time.zone.now)

      if changed_rows == 1
        # not doing a reload so we don't risk loading a rotated token
        user_token.auth_token_seen = true
        user_token.seen_at = Time.zone.now
      end

      log(action: changed_rows == 0 ? "seen wrong token" : "seen token",
          user_auth_token_id: user_token.id,
          user_id: user_token.user_id,
          auth_token: user_token.auth_token,
          user_agent: opts && opts[:user_agent],
          path: opts && opts[:path],
          client_ip: opts && opts[:client_ip])
    end

    user_token
  end

  def self.hash_token(token)
    Digest::SHA1.base64digest("#{token}#{GlobalSetting.safe_secret_key_base}")
  end

  def self.cleanup!

    if SiteSetting.verbose_auth_token_logging
      UserAuthTokenLog.where('created_at < :time',
            time: SiteSetting.maximum_session_age.hours.ago - ROTATE_TIME).delete_all
    end

    where('rotated_at < :time',
          time: SiteSetting.maximum_session_age.hours.ago - ROTATE_TIME).delete_all

  end

  def rotate!(info = nil)
    user_agent = (info && info[:user_agent] || self.user_agent)
    client_ip = (info && info[:client_ip] || self.client_ip)

    token = SecureRandom.hex(16)

    result = UserAuthToken.exec_sql("
  UPDATE user_auth_tokens
  SET
    auth_token_seen = false,
    seen_at = null,
    user_agent = :user_agent,
    client_ip = :client_ip,
    prev_auth_token = case when auth_token_seen then auth_token else prev_auth_token end,
    auth_token = :new_token,
    rotated_at = :now
  WHERE id = :id AND (auth_token_seen or rotated_at < :safeguard_time)
", id: self.id,
   user_agent: user_agent,
   client_ip: client_ip&.to_s,
   now: Time.zone.now,
   new_token: UserAuthToken.hash_token(token),
   safeguard_time: 30.seconds.ago
  )

    if result.cmdtuples > 0
      reload
      self.unhashed_auth_token = token

      UserAuthToken.log(
        action: "rotate",
        user_auth_token_id: id,
        user_id: user_id,
        auth_token: auth_token,
        user_agent: user_agent,
        client_ip: client_ip,
        path: info && info[:path]
      )

      true
    else
      false
    end

  end
end

# == Schema Information
#
# Table name: user_auth_tokens
#
#  id              :integer          not null, primary key
#  user_id         :integer          not null
#  auth_token      :string           not null
#  prev_auth_token :string           not null
#  user_agent      :string
#  auth_token_seen :boolean          default(FALSE), not null
#  legacy          :boolean          default(FALSE), not null
#  client_ip       :inet
#  rotated_at      :datetime         not null
#  created_at      :datetime         not null
#  updated_at      :datetime         not null
#  seen_at         :datetime
#
# Indexes
#
#  index_user_auth_tokens_on_auth_token       (auth_token) UNIQUE
#  index_user_auth_tokens_on_prev_auth_token  (prev_auth_token) UNIQUE
#
FEATURE: per client user tokens Revamped system for managing authentication tokens. - Every user has 1 token per client (web browser) - Tokens are rotated every 10 minutes New system migrates the old tokens to "legacy" tokens, so users still remain logged on. Also introduces weekly job to expire old auth tokens. 2017-01-31 17:21:37 -05:00			`# frozen_string_literal: true`
			`require 'digest/sha1'`

			`class UserAuthToken < ActiveRecord::Base`
			`belongs_to :user`

			`ROTATE_TIME = 10.minutes`
			`# used when token did not arrive at client`
			`URGENT_ROTATE_TIME = 1.minute`

			`attr_accessor :unhashed_auth_token`

remove dupe code, correct logging logic 2017-03-07 10:57:48 -05:00			`def self.log(info)`
			`if SiteSetting.verbose_auth_token_logging`
			`UserAuthTokenLog.create!(info)`
			`end`
			`end`

FEATURE: per client user tokens Revamped system for managing authentication tokens. - Every user has 1 token per client (web browser) - Tokens are rotated every 10 minutes New system migrates the old tokens to "legacy" tokens, so users still remain logged on. Also introduces weekly job to expire old auth tokens. 2017-01-31 17:21:37 -05:00			`def self.generate!(info)`
			`token = SecureRandom.hex(16)`
			`hashed_token = hash_token(token)`
			`user_auth_token = UserAuthToken.create!(`
			`user_id: info[:user_id],`
			`user_agent: info[:user_agent],`
			`client_ip: info[:client_ip],`
			`auth_token: hashed_token,`
			`prev_auth_token: hashed_token,`
			`rotated_at: Time.zone.now`
			`)`
			`user_auth_token.unhashed_auth_token = token`
FEATURE: add hidden setting for verbose auth token logging This is only needed to debug auth token issues, will result in lots of logging 2017-02-13 14:01:01 -05:00
remove dupe code, correct logging logic 2017-03-07 10:57:48 -05:00			`log(action: 'generate',`
FEATURE: add hidden setting for verbose auth token logging This is only needed to debug auth token issues, will result in lots of logging 2017-02-13 14:01:01 -05:00			`user_auth_token_id: user_auth_token.id,`
			`user_id: info[:user_id],`
			`user_agent: info[:user_agent],`
			`client_ip: info[:client_ip],`
FIX: Improve token rotation and increase logging - avoid access denied on bad cookie, instead just nuke it - avoid marking a token unseen for first minute post rotation - log path in user auth token logs 2017-03-07 13:27:34 -05:00			`path: info[:path],`
remove dupe code, correct logging logic 2017-03-07 10:57:48 -05:00			`auth_token: hashed_token)`
FEATURE: add hidden setting for verbose auth token logging This is only needed to debug auth token issues, will result in lots of logging 2017-02-13 14:01:01 -05:00
FEATURE: per client user tokens Revamped system for managing authentication tokens. - Every user has 1 token per client (web browser) - Tokens are rotated every 10 minutes New system migrates the old tokens to "legacy" tokens, so users still remain logged on. Also introduces weekly job to expire old auth tokens. 2017-01-31 17:21:37 -05:00			`user_auth_token`
			`end`

Add rubocop to our build. (#5004) 2017-07-27 21:20:09 -04:00			`def self.lookup(unhashed_token, opts = nil)`
FEATURE: per client user tokens Revamped system for managing authentication tokens. - Every user has 1 token per client (web browser) - Tokens are rotated every 10 minutes New system migrates the old tokens to "legacy" tokens, so users still remain logged on. Also introduces weekly job to expire old auth tokens. 2017-01-31 17:21:37 -05:00
			`mark_seen = opts && opts[:seen]`

			`token = hash_token(unhashed_token)`
			`expire_before = SiteSetting.maximum_session_age.hours.ago`

			`user_token = find_by("(auth_token = :token OR`
			`prev_auth_token = :token OR`
FIX: attempt to handle ios edge case where token is seen but unsaved This relaxes our security in the following way - prev auth token is always accepted as long as rotation date is within our window of SiteSetting.maximum_session_age.hours (previously old token expired within a minute of new one being seen) - new auth token is marked unseen if we are presented with an old token after we already saw new one This attempts to fix an issue where ios webkit is not committing new cookies 2017-02-26 17:09:57 -05:00			`(auth_token = :unhashed_token AND legacy)) AND rotated_at > :expire_before",`
FEATURE: per client user tokens Revamped system for managing authentication tokens. - Every user has 1 token per client (web browser) - Tokens are rotated every 10 minutes New system migrates the old tokens to "legacy" tokens, so users still remain logged on. Also introduces weekly job to expire old auth tokens. 2017-01-31 17:21:37 -05:00			`token: token, unhashed_token: unhashed_token, expire_before: expire_before)`

FIX: attempt to handle ios edge case where token is seen but unsaved This relaxes our security in the following way - prev auth token is always accepted as long as rotation date is within our window of SiteSetting.maximum_session_age.hours (previously old token expired within a minute of new one being seen) - new auth token is marked unseen if we are presented with an old token after we already saw new one This attempts to fix an issue where ios webkit is not committing new cookies 2017-02-26 17:09:57 -05:00			`if !user_token`
FEATURE: add hidden setting for verbose auth token logging This is only needed to debug auth token issues, will result in lots of logging 2017-02-13 14:01:01 -05:00
remove dupe code, correct logging logic 2017-03-07 10:57:48 -05:00			`log(action: "miss token",`
FEATURE: add hidden setting for verbose auth token logging This is only needed to debug auth token issues, will result in lots of logging 2017-02-13 14:01:01 -05:00			`user_id: user_token&.user_id,`
			`auth_token: token,`
			`user_agent: opts && opts[:user_agent],`
FIX: Improve token rotation and increase logging - avoid access denied on bad cookie, instead just nuke it - avoid marking a token unseen for first minute post rotation - log path in user auth token logs 2017-03-07 13:27:34 -05:00			`path: opts && opts[:path],`
remove dupe code, correct logging logic 2017-03-07 10:57:48 -05:00			`client_ip: opts && opts[:client_ip])`
FEATURE: add hidden setting for verbose auth token logging This is only needed to debug auth token issues, will result in lots of logging 2017-02-13 14:01:01 -05:00
FEATURE: per client user tokens Revamped system for managing authentication tokens. - Every user has 1 token per client (web browser) - Tokens are rotated every 10 minutes New system migrates the old tokens to "legacy" tokens, so users still remain logged on. Also introduces weekly job to expire old auth tokens. 2017-01-31 17:21:37 -05:00			`return nil`
			`end`
FIX: attempt to handle ios edge case where token is seen but unsaved This relaxes our security in the following way - prev auth token is always accepted as long as rotation date is within our window of SiteSetting.maximum_session_age.hours (previously old token expired within a minute of new one being seen) - new auth token is marked unseen if we are presented with an old token after we already saw new one This attempts to fix an issue where ios webkit is not committing new cookies 2017-02-26 17:09:57 -05:00
FIX: on initial token issue stop unmarking token as unseen prev and current are the same so we need special logic to bypass 2017-02-28 10:38:22 -05:00			`if user_token.auth_token != token && user_token.prev_auth_token == token && user_token.auth_token_seen`
FIX: attempt to handle ios edge case where token is seen but unsaved This relaxes our security in the following way - prev auth token is always accepted as long as rotation date is within our window of SiteSetting.maximum_session_age.hours (previously old token expired within a minute of new one being seen) - new auth token is marked unseen if we are presented with an old token after we already saw new one This attempts to fix an issue where ios webkit is not committing new cookies 2017-02-26 17:09:57 -05:00			`changed_rows = UserAuthToken`
FIX: Improve token rotation and increase logging - avoid access denied on bad cookie, instead just nuke it - avoid marking a token unseen for first minute post rotation - log path in user auth token logs 2017-03-07 13:27:34 -05:00			`.where("rotated_at < ?", 1.minute.ago)`
FIX: attempt to handle ios edge case where token is seen but unsaved This relaxes our security in the following way - prev auth token is always accepted as long as rotation date is within our window of SiteSetting.maximum_session_age.hours (previously old token expired within a minute of new one being seen) - new auth token is marked unseen if we are presented with an old token after we already saw new one This attempts to fix an issue where ios webkit is not committing new cookies 2017-02-26 17:09:57 -05:00			`.where(id: user_token.id, prev_auth_token: token)`
			`.update_all(auth_token_seen: false)`

			`# not updating AR model cause we want to give it one more req`
			`# with wrong cookie`
remove dupe code, correct logging logic 2017-03-07 10:57:48 -05:00			`UserAuthToken.log(`
FIX: attempt to handle ios edge case where token is seen but unsaved This relaxes our security in the following way - prev auth token is always accepted as long as rotation date is within our window of SiteSetting.maximum_session_age.hours (previously old token expired within a minute of new one being seen) - new auth token is marked unseen if we are presented with an old token after we already saw new one This attempts to fix an issue where ios webkit is not committing new cookies 2017-02-26 17:09:57 -05:00			`action: changed_rows == 0 ? "prev seen token unchanged" : "prev seen token",`
			`user_auth_token_id: user_token.id,`
			`user_id: user_token.user_id,`
			`auth_token: user_token.auth_token,`
			`user_agent: opts && opts[:user_agent],`
FIX: Improve token rotation and increase logging - avoid access denied on bad cookie, instead just nuke it - avoid marking a token unseen for first minute post rotation - log path in user auth token logs 2017-03-07 13:27:34 -05:00			`path: opts && opts[:path],`
FIX: attempt to handle ios edge case where token is seen but unsaved This relaxes our security in the following way - prev auth token is always accepted as long as rotation date is within our window of SiteSetting.maximum_session_age.hours (previously old token expired within a minute of new one being seen) - new auth token is marked unseen if we are presented with an old token after we already saw new one This attempts to fix an issue where ios webkit is not committing new cookies 2017-02-26 17:09:57 -05:00			`client_ip: opts && opts[:client_ip]`
			`)`
			`end`
FEATURE: per client user tokens Revamped system for managing authentication tokens. - Every user has 1 token per client (web browser) - Tokens are rotated every 10 minutes New system migrates the old tokens to "legacy" tokens, so users still remain logged on. Also introduces weekly job to expire old auth tokens. 2017-01-31 17:21:37 -05:00
			`if mark_seen && user_token && !user_token.auth_token_seen && user_token.auth_token == token`
FIX: race condition when marking tokens as seen - in rare conditions can lead to users being logged off 2017-02-14 09:34:09 -05:00			`# we must protect against concurrency issues here`
FIX: token rotation not accounting for overlapping tokens correctly also... freeze_time has no block form, correct all usages and specs 2017-02-15 10:58:18 -05:00			`changed_rows = UserAuthToken`
			`.where(id: user_token.id, auth_token: token)`
			`.update_all(auth_token_seen: true, seen_at: Time.zone.now)`

correct the test 2017-02-14 09:34:39 -05:00			`if changed_rows == 1`
FIX: race condition when marking tokens as seen - in rare conditions can lead to users being logged off 2017-02-14 09:34:09 -05:00			`# not doing a reload so we don't risk loading a rotated token`
			`user_token.auth_token_seen = true`
FIX: token rotation not accounting for overlapping tokens correctly also... freeze_time has no block form, correct all usages and specs 2017-02-15 10:58:18 -05:00			`user_token.seen_at = Time.zone.now`
FIX: race condition when marking tokens as seen - in rare conditions can lead to users being logged off 2017-02-14 09:34:09 -05:00			`end`
FEATURE: add hidden setting for verbose auth token logging This is only needed to debug auth token issues, will result in lots of logging 2017-02-13 14:01:01 -05:00
remove dupe code, correct logging logic 2017-03-07 10:57:48 -05:00			`log(action: changed_rows == 0 ? "seen wrong token" : "seen token",`
FEATURE: add hidden setting for verbose auth token logging This is only needed to debug auth token issues, will result in lots of logging 2017-02-13 14:01:01 -05:00			`user_auth_token_id: user_token.id,`
			`user_id: user_token.user_id,`
			`auth_token: user_token.auth_token,`
			`user_agent: opts && opts[:user_agent],`
FIX: Improve token rotation and increase logging - avoid access denied on bad cookie, instead just nuke it - avoid marking a token unseen for first minute post rotation - log path in user auth token logs 2017-03-07 13:27:34 -05:00			`path: opts && opts[:path],`
remove dupe code, correct logging logic 2017-03-07 10:57:48 -05:00			`client_ip: opts && opts[:client_ip])`
FEATURE: per client user tokens Revamped system for managing authentication tokens. - Every user has 1 token per client (web browser) - Tokens are rotated every 10 minutes New system migrates the old tokens to "legacy" tokens, so users still remain logged on. Also introduces weekly job to expire old auth tokens. 2017-01-31 17:21:37 -05:00			`end`

			`user_token`
			`end`

			`def self.hash_token(token)`
			`Digest::SHA1.base64digest("#{token}#{GlobalSetting.safe_secret_key_base}")`
			`end`

			`def self.cleanup!`
FEATURE: add hidden setting for verbose auth token logging This is only needed to debug auth token issues, will result in lots of logging 2017-02-13 14:01:01 -05:00
			`if SiteSetting.verbose_auth_token_logging`
			`UserAuthTokenLog.where('created_at < :time',`
			`time: SiteSetting.maximum_session_age.hours.ago - ROTATE_TIME).delete_all`
			`end`

FEATURE: per client user tokens Revamped system for managing authentication tokens. - Every user has 1 token per client (web browser) - Tokens are rotated every 10 minutes New system migrates the old tokens to "legacy" tokens, so users still remain logged on. Also introduces weekly job to expire old auth tokens. 2017-01-31 17:21:37 -05:00			`where('rotated_at < :time',`
			`time: SiteSetting.maximum_session_age.hours.ago - ROTATE_TIME).delete_all`

			`end`

Add rubocop to our build. (#5004) 2017-07-27 21:20:09 -04:00			`def rotate!(info = nil)`
FEATURE: per client user tokens Revamped system for managing authentication tokens. - Every user has 1 token per client (web browser) - Tokens are rotated every 10 minutes New system migrates the old tokens to "legacy" tokens, so users still remain logged on. Also introduces weekly job to expire old auth tokens. 2017-01-31 17:21:37 -05:00			`user_agent = (info && info[:user_agent] \|\| self.user_agent)`
			`client_ip = (info && info[:client_ip] \|\| self.client_ip)`

			`token = SecureRandom.hex(16)`

			`result = UserAuthToken.exec_sql("`
			`UPDATE user_auth_tokens`
			`SET`
			`auth_token_seen = false,`
FIX: token rotation not accounting for overlapping tokens correctly also... freeze_time has no block form, correct all usages and specs 2017-02-15 10:58:18 -05:00			`seen_at = null,`
FEATURE: per client user tokens Revamped system for managing authentication tokens. - Every user has 1 token per client (web browser) - Tokens are rotated every 10 minutes New system migrates the old tokens to "legacy" tokens, so users still remain logged on. Also introduces weekly job to expire old auth tokens. 2017-01-31 17:21:37 -05:00			`user_agent = :user_agent,`
			`client_ip = :client_ip,`
			`prev_auth_token = case when auth_token_seen then auth_token else prev_auth_token end,`
			`auth_token = :new_token,`
			`rotated_at = :now`
			`WHERE id = :id AND (auth_token_seen or rotated_at < :safeguard_time)`
			`", id: self.id,`
			`user_agent: user_agent,`
			`client_ip: client_ip&.to_s,`
			`now: Time.zone.now,`
			`new_token: UserAuthToken.hash_token(token),`
			`safeguard_time: 30.seconds.ago`
			`)`

			`if result.cmdtuples > 0`
			`reload`
			`self.unhashed_auth_token = token`
FEATURE: add hidden setting for verbose auth token logging This is only needed to debug auth token issues, will result in lots of logging 2017-02-13 14:01:01 -05:00
remove dupe code, correct logging logic 2017-03-07 10:57:48 -05:00			`UserAuthToken.log(`
			`action: "rotate",`
			`user_auth_token_id: id,`
			`user_id: user_id,`
			`auth_token: auth_token,`
			`user_agent: user_agent,`
FIX: Improve token rotation and increase logging - avoid access denied on bad cookie, instead just nuke it - avoid marking a token unseen for first minute post rotation - log path in user auth token logs 2017-03-07 13:27:34 -05:00			`client_ip: client_ip,`
			`path: info && info[:path]`
remove dupe code, correct logging logic 2017-03-07 10:57:48 -05:00			`)`
FEATURE: add hidden setting for verbose auth token logging This is only needed to debug auth token issues, will result in lots of logging 2017-02-13 14:01:01 -05:00
FEATURE: per client user tokens Revamped system for managing authentication tokens. - Every user has 1 token per client (web browser) - Tokens are rotated every 10 minutes New system migrates the old tokens to "legacy" tokens, so users still remain logged on. Also introduces weekly job to expire old auth tokens. 2017-01-31 17:21:37 -05:00			`true`
			`else`
			`false`
			`end`

			`end`
			`end`

			`# == Schema Information`
			`#`
			`# Table name: user_auth_tokens`
			`#`
			`# id :integer not null, primary key`
			`# user_id :integer not null`
			`# auth_token :string not null`
Update annotations. 2017-03-22 02:26:53 -04:00			`# prev_auth_token :string not null`
FEATURE: per client user tokens Revamped system for managing authentication tokens. - Every user has 1 token per client (web browser) - Tokens are rotated every 10 minutes New system migrates the old tokens to "legacy" tokens, so users still remain logged on. Also introduces weekly job to expire old auth tokens. 2017-01-31 17:21:37 -05:00			`# user_agent :string`
			`# auth_token_seen :boolean default(FALSE), not null`
			`# legacy :boolean default(FALSE), not null`
			`# client_ip :inet`
Update annotations. 2017-03-22 02:26:53 -04:00			`# rotated_at :datetime not null`
Update annotations. 2018-02-20 01:28:58 -05:00			`# created_at :datetime not null`
			`# updated_at :datetime not null`
Update annotations. 2017-03-22 02:26:53 -04:00			`# seen_at :datetime`
			`#`
			`# Indexes`
			`#`
			`# index_user_auth_tokens_on_auth_token (auth_token) UNIQUE`
			`# index_user_auth_tokens_on_prev_auth_token (prev_auth_token) UNIQUE`
FEATURE: per client user tokens Revamped system for managing authentication tokens. - Every user has 1 token per client (web browser) - Tokens are rotated every 10 minutes New system migrates the old tokens to "legacy" tokens, so users still remain logged on. Also introduces weekly job to expire old auth tokens. 2017-01-31 17:21:37 -05:00			`#`