-
Notifications
You must be signed in to change notification settings - Fork 62
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
WIP: Enforce MIN_SECONDS_BETWEEN for successful authentications #176
WIP: Enforce MIN_SECONDS_BETWEEN for successful authentications #176
Conversation
Currently the signature evaluation is done before the expiration. By doing the expiration first it is possible to save a KMS call if the link is expired.
Validate all fields returned by DynamoDB. Throw an error if any is missing.
The MIN_SECONDS_BETWEEN variable is used to protect against multiple authentications in a short period of time. However it is only able to protect against multiple authentication failures. Successful authentications are not limited. A malicious actor may perform a DoS or drive costs if she has access to a valid user credential. This fix enforces MIN_SECONDS_BETWEEN in both cases by creating an `used` flag for each magic link. When created `used` is set to false. To be used a magic link must have `used` as false. On use the `used` is set to true. This will allow the MIN_SECONDS_BETWEEN to deny too short creation even on successful uses.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hey mate, i had a look and we're nearly there.
- Let's use
uat
(used at) instead ofused
(because we also doiat
for issued at) - Let's not make it a boolean but make it a number, in which we store the unix timestamp of when it was used (like
iat
andexp
) - In the condition expression we can just say that this attribute MUST NOT yet exist. It's presence signifies that the magic link was already used (and at which time exactly, which may be helpful to know for audit purposes)
The full condition expression then becomes:
`attribute_exists(#signatureHash) AND #signatureHash = :signatureHash AND attribute_exists(#userNameHash) AND #userNameHash = :userNameHash AND attribute_not_exists(#uat)`
How does that sound?
Cheers
Sounds great. Working on it.
|
Use `uat` instead of `used`. `uat` stands for "used at" and stores the epoch time of the last magic link usage. Note that `uat` is an optional field.
@ottokruse Done. Please take a look. Fix: ensure Cheers. |
Had a look and a play around, pushed a tweak. Think this looks pretty good now! Will merge and publish to NPM in a bit. (Part of the tweak is a little pedantry, you don't need to check the value of |
Don't we need it to ensure that DynamoDB will perform an update and not an insert? I mean without the condition the an insert could happen. |
Because it is the primary key, just specifying Try it :) The following only works if the item with
|
A little bit late. But I tested and agree. Thanks for accepting the patch. |
Published to npm in v0.14.0 |
Issue #175
Description of changes:
V1
EnforcesMIN_SECONDS_BETWEEN
in both cases by creating anused
flag for each magic link.Reorder magic link validation. Checks expiration before anything.
Validate all fields stored in
DynamoDB
.V2
Enforces
MIN_SECONDS_BETWEEN
in both cases by creating anuat
epoch attribute for each magic link.Reorder magic link validation. Checks expiration before anything.
Validate all fields stored in
DynamoDB
. Note thatuat
is optional.Fix: change
DeleteCommand
toUpdateCommand
. Make sure thatUpdateCommand
do not perform an insert.