rest/user/whoami requests working with expired jwt

[jsuleder]

Hi!
Is it intended that the rest/user/whoami requests are working with expired jwts? The user's information will still be extracted and returned as json if the supplied token's exp is expired instead of returning an empty object as this is done with invalid requests or unauthenticated requests.

For demo purposes I decreased the validity of the jwts from 5 hours to 10 minutes in insecurity.js line 27:

exports.authorize = (user = {}) => jwt.sign(user, privateKey, { expiresIn: 600, algorithm: 'RS256' })

Request:

GET /rest/user/whoami HTTP/1.1
Host: localhost:3000
Accept: application/json, text/plain, */*
Authorization: Bearer eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdGF0dXMiOiJzdWNjZXNzIiwiZGF0YSI6eyJpZCI6MTAsImVtYWlsIjoiZGVtb0BkZW1vLmRlIiwicGFzc3dvcmQiOiI4MjdjY2IwZWVhOGE3MDZjNGMzNGExNjg5MWY4NGU3YiIsImNyZWF0ZWRBdCI6IjIwMTgtMDQtMTYgMTM6NTI6NDAuODQyICswMDowMCIsInVwZGF0ZWRBdCI6IjIwMTgtMDQtMTYgMTM6NTI6NDAuODQyICswMDowMCJ9LCJpYXQiOjE1MjM4ODY3NzUsImV4cCI6MTUyMzg4NzM3NX0.GAH8LeNh7r8eqMI3EJWQvY3sYnKG_SQa9Usd1oqrplVI4AjnI6pJq6A--zCbV_Ut46CET4h-eD158G7CKz9CCQTzj2kr-K_frBV0VEzGKK9YKXI93wF8uc3LKXSWChnTgfIHfA96TBYnNbN4xwgbjlaeNwhJ3WQqVDGLq-zzJaE
Connection: close

The jwt's payloads are:

{
  "status": "success",
  "data": {
    "id": 10,
    "email": "[email protected]",
    "password": "827ccb0eea8a706c4c34a16891f84e7b",
    "createdAt": "2018-04-16 13:52:40.842 +00:00",
    "updatedAt": "2018-04-16 13:52:40.842 +00:00"
  },
  "iat": 1523886775,
  "exp": 1523887375
}

The exp field in readable format: Mon Apr 16 2018 14:02:55 GMT+0000

Response:

HTTP/1.1 200 OK
X-Powered-By: Express
Access-Control-Allow-Origin: *
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
Content-Type: application/json; charset=utf-8
Content-Length: 41
ETag: W/"29-zvxu1qqLatiJBycSdFVxswV5Ba0"
Date: Mon, 16 Apr 2018 14:03:32 GMT
Connection: close

{"user":{"id":10,"email":"[email protected]"}}

Is this intended or is this a bug? I know that the information responded is reflected from the jwt's payloads but I think that information from the jwt should only be returned when the jwt is valid.

---

Want to back this issue? Post a bounty on it! We accept bounties via Bountysource.

[bkimminich]

I do not verify the validity explicitly anywhere in the code... I guess that would make a nice third JWT challenge to authenticate with an expired token... 👍

[jsuleder]

Yes! But you validate the validity of the tokens every time you say that only authenticated users are allowed to get or alter a resource via api or rest requests, because the express-jwt node module implicitly validates all claims. So the use of an expired token for normal session use is not possible. Only for this single rest route the validation is not done.

[bkimminich]

Okay, that's probably because the route can be called anonymously as well... Nice accidental loophole, I guess! 😁

[jsuleder]

Exactly! I figured this out checking that the application is behaving right when the session token is expired and chose this route for my demo. I had read the code first and only started the intruder to cross check the hypothesis that using an expired token will not work.. which just broke my demo 😄 - lucky shot I think 😆.

[agrawalarpit14]

@bkimminich I tried to understand the functionality of the api rest/user/whoami. It indeed can be called anonymously, i.e, without the authorisation header, as pointed by you. Further, the response without the cookie header is

{
    "user": {}
}

But when the request contains the cookie header, i.e,

Cookie: cookieconsent_status=dismiss; continueCode=xzmvo3yQBYaPpK8M9VE5Nmv2XL0agHEhLdjqRJ6eODZ7n1xw4kzrWbgl72L1; token=eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdGF0dXMiOiJzdWNjZXNzIiwiZGF0YSI6eyJpZCI6MiwidXNlcm5hbWUiOiIiLCJlbWFpbCI6ImppbUBqdWljZS1zaC5vcCIsInBhc3N3b3JkIjoiZTU0MWNhN2VjZjcyYjhkMTI4NjQ3NGZjNjEzZTVlNDUiLCJpc0FkbWluIjpmYWxzZSwibGFzdExvZ2luSXAiOiIwLjAuMC4wIiwicHJvZmlsZUltYWdlIjoiZGVmYXVsdC5zdmciLCJjcmVhdGVkQXQiOiIyMDE5LTAyLTIwIDA0OjU4OjIzLjY0NyArMDA6MDAiLCJ1cGRhdGVkQXQiOiIyMDE5LTAyLTIwIDA0OjU4OjIzLjY0NyArMDA6MDAifSwiaWF0IjoxNTUwNjQ0NTAyLCJleHAiOjE1NTA2NjI1MDJ9.xZoP2yfJbDTxXvU4sQno_i6TElwMGp1r5cBZfPqvMJMrue8J1Ef23NWN-ZI1CHCwaobJfQJfuELBhUNSI9d_h1gJKUmuJbBTxE4kIryrUiGGr0yfB-iqS1HDEEtivwUWGcUzNbBOgjINal6dObGrFNIjrMKb6XeM28b63p6FAHU; io=O7Za1NXSyARb1sIdAAAF

The response is:

{
    "user": {
        "id": 2,
        "email": "[email protected]",
        "lastLoginIp": "0.0.0.0"
    }
}

As suggested by the api code, i.e:

const user = insecurity.authenticatedUsers.get(req.cookies.token)
const response = { user: { id: (user && user.data ? user.data.id : undefined), email: (user && user.data ? user.data.email : undefined), lastLoginIp: (user && user.data ? user.data.lastLoginIp : undefined) } }

It performs as expected.
So, is it needed to put the restriction to be called anonymously or is there a scope of building a challenge around this?

[github-actions]

This thread has been automatically locked because it has not had recent activity after it was closed. 🔒 Please open a new issue for regressions or related bugs.