Description
Right now, if an attacker compromises a crate author's GitHub account, they can use it to log into crates.io and get a session cookie. That cookie is signed by an HMAC key owned by crates.io, and contains the user ID. During authentication, crates.io verifies the HMAC on that cookie and then trusts the user ID inside. The problem is that, once the crate author regains control of their GitHub account, the attacker's session cookie is still valid, and as far as I can tell there is no way to revoke it. There are a few possible solutions:
- Instead of a signed cookie, use a
sessionstable that has unique tokens in it. This has the added advantage that the sessions table can include the IP address and User-Agent from which the session was initiated, so the user can review extant sessions and revoke them if necessary. - Expire the signed cookie after a period of time (Add expiration as part of signed data and enforce it conduit-rust/conduit-cookie#15). This is useful for defense-in-depth, but any reasonable expiration period would be too long to work for this purpose. When you want to revoke an attacker's access, you want to revoke it right away, not in a few days.
- Add a generation number in the users table, and give the user an option to "sign out all other sessions," which would increment the generation number. The generation number would also be included in the signed cookie and required to match the current values in the table.
I think (1) is the best option but also the most work.
Another, closely related issue: If a user revokes the crates.io app on their GitHub account (for instance, as part of the cleanup after a compromise), it would be nice to temporarily disable all cookie sessions and tokens on their crates.io account until they reauthorize crates.io.
(Related: #815)