Merge pull request #29 from RadiusNetworks/switch-to-in-memory-cache

Switch to in memory cache and obfuscate tokens

Author: cupakromer

.travis.yml

@@ -2,22 +2,21 @@ language: ruby
 bundler_args: --binstubs --jobs=3 --retry=3
 cache: bundler
 sudo: false
+before_install:
+  - gem update --system
+  - gem install bundler
 script: bin/rake
 rvm:
-  - 2.3.3
-  - 2.4.0
   - 2.5.0
 env:
+  - RAILS_VERSION='~> 5.2.0'
   - RAILS_VERSION='~> 5.1.0'
-  - RAILS_VERSION='~> 5.0.0'
-  - RAILS_VERSION='~> 4.2.8'
-  - RAILS_VERSION='4-2-stable'
-  - RAILS_VERSION='5-0-stable'
   - RAILS_VERSION='5-1-stable'
+  - RAILS_VERSION='5-2-stable'
 matrix:
   include:
     - rvm: 2.2.3
-      env: RAILS_VERSION="4.2.5"
-    - rvm: 2.3.3
-      env: RAILS_VERSION='4.2.7.1'
+      env: RAILS_VERSION='~> 5.1.0'
+    - rvm: 2.4.4
+      env: RAILS_VERSION='~> 4.2.10'
   fast_finish: true

lib/kracken/authenticator.rb

@@ -2,19 +2,30 @@ module Kracken
   class Authenticator
     attr_reader :auth_hash
 
+    # @private
+    def self.cache
+      @cache
+    end
+    @cache = ActiveSupport::Cache.lookup_store(
+      :memory_store,
+      size: 5.megabytes,
+      expires_in: 1.hour,
+      race_condition_ttl: 1.second,
+    )
+
     ## Factory Methods
 
     # Login the user with their credentails. Used for proxying the
     # authentication to the auth server, normally from a mobile app
     def self.user_with_credentials(email, password)
       auth = Kracken::CredentialAuthenticator.new.fetch(email, password)
-      self.new(auth.body).to_app_user
+      new(auth).to_app_user
     end
 
     # Login the user with an auth token. Used for API authentication for the
     # public APIs
     def self.user_with_token(token)
-      auth = Kracken::TokenAuthenticator.new.fetch(token)
+      auth = new(Kracken::TokenAuthenticator.new.fetch(token))
 
       # Don't want stale user models being pulled from the cache. So only
       # cache the `user_id`.
@@ -23,15 +34,30 @@ def self.user_with_token(token)
       # for the user, set it to nil, fetch from cache and only query if there
       # was a cache-hit (thus user is still nil).
       user = nil
-      user_id = Rails.cache.fetch("auth/#{token}/#{auth.etag}") {
-        user = self.new(auth.body).to_app_user
+      user_id = Authenticator.cache.fetch(auth) {
+        user = auth.to_app_user
         user.id
       }
       user ||= Kracken.config.user_class.find(user_id)
     end
 
     def initialize(response)
-      @auth_hash = create_auth_hash(response)
+      @auth_hash = create_auth_hash(response.body)
+      @etag = if response.respond_to?(:etag)
+                response.etag
+              else
+                # https://github.com/rails/rails/blob/v5.2.0/actionpack/lib/action_dispatch/http/cache.rb#L136
+                # https://github.com/rails/rails/blob/v5.2.0/activesupport/lib/active_support/digest.rb
+                # https://github.com/rails/rails/blob/v4.2.10/actionpack/lib/action_dispatch/http/cache.rb#L87
+                ::Digest::MD5.hexdigest(response.body.to_json)
+              end
+      @etag.freeze
+    end
+
+    attr_reader :etag
+
+    def cache_key
+      "#{@auth_hash.provider || :unknown}/#{@auth_hash.uid}-#{etag}"
     end
 
     # Convert this Factory to a User object per the host app.
@@ -40,7 +66,7 @@ def to_app_user
       Kracken.config.user_class.find_or_create_from_auth_hash(auth_hash)
     end
 
-    private
+  private
 
     def create_auth_hash(response_hash)
       Hashie::Mash.new({

lib/kracken/config.rb

@@ -1,8 +1,11 @@
 module Kracken
   class Config
-    attr_accessor :app_id, :app_secret, :user_class
+    attr_accessor :app_id, :app_secret
     attr_writer :provider_url
 
+    # @deprecated the associated reader returns static `::User`
+    attr_writer :user_class
+
     def initialize
       @user_class = nil
     end

lib/kracken/controllers/token_authenticatable.rb

@@ -1,6 +1,11 @@
 module Kracken
   module Controllers
     module TokenAuthenticatable
+      # @private
+      def self.cache
+        @cache
+      end
+
       def self.included(base)
         base.define_singleton_method(:realm) do |realm = nil|
           realm ||= (superclass.try(:realm) || 'Application')
@@ -31,38 +36,75 @@ def request_http_token_authentication(realm = 'Application')
 
     module_function
 
-      TOKEN_AUTH_CACHE_PREFIX = "auth/token/"
+      # @private
+      def auth_cache_key(token)
+        # This key must **ALWAYS** be generated and stored either in-memory or
+        # "securely" on the server. Treat this like the Rails / Devise secret
+        # key.
+        #
+        # If in the future we move back to an external cache (say Redis) for
+        # the cached auth token storage this must still remain **ONLY** on the
+        # server.
+        key = TokenAuthenticatable.cache.fetch("KEY", AUTH_KEY_OPTS) {
+          # Clear all existing data generated by previous key
+          clear_auth_cache
+          # HMAC-SHA256 takes a maximum key size of 64-bytes
+          # See https://crypto.stackexchange.com/questions/34864/key-size-for-hmac-sha256/34866#34866
+          SecureRandom.random_bytes(64)
+        }
+        OpenSSL::HMAC.digest("SHA256", key, token)
+      end
 
       def cache_valid_auth(token, force: false, &generate_cache)
-        cache_key = TOKEN_AUTH_CACHE_PREFIX + token
-        val = Rails.cache.read(cache_key) unless force
-        val ||= store_valid_auth(cache_key, &generate_cache)
+        cache_key = auth_cache_key(token)
+        val, nonce, hmac = TokenAuthenticatable.cache.read(cache_key) unless force
+        val = nil unless hmac == OpenSSL::HMAC.digest("SHA256", "#{nonce}#{token}", val.to_s)
+        val ||= store_valid_auth(token, cache_key, &generate_cache)
         shallow_freeze(val)
       end
 
       def clear_auth_cache
-        Rails.cache.delete_matched TOKEN_AUTH_CACHE_PREFIX + "*"
+        TokenAuthenticatable.cache.clear
       end
 
       def shallow_freeze(val)
-        # `nil` is frozen in Ruby 2.2 but not in Ruby 2.1
-        return val if val.frozen? || val.nil?
+        return val if val.frozen?
         val.each { |_k, v| v.freeze }.freeze
       end
 
-      def store_valid_auth(cache_key)
-        val = yield
-        Rails.cache.write(cache_key, val, CACHE_TTL_OPTS) if val
+      def store_valid_auth(token, cache_key = auth_cache_key(token))
+        return unless (val = yield(token))
+
+        # HMAC-SHA256 takes a maximum of 64-bytes for the key. When data is
+        # longer it is hashed, truncating to 32-bytes. We add the nonce here to
+        # force us over that 64-byte limit, thus hashing the result. This is to
+        # ensure at least 32-bytes of entropy from the token. This HMAC is
+        # mearly meant as a hash collision guard, not as added security.
+        nonce = SecureRandom.random_bytes(64)
+        hmac = OpenSSL::HMAC.digest("SHA256", "#{nonce}#{token}", val.to_s)
+        TokenAuthenticatable.cache.write cache_key,
+                                         [val, nonce, hmac].freeze,
+                                         CACHE_TTL_OPTS
         val
       end
 
     private
 
+      AUTH_KEY_OPTS = {
+        expires_in: 5.minutes, # Rotate key relatively frequently
+        race_condition_ttl: 1.second,
+      }.freeze
+
       CACHE_TTL_OPTS = {
         expires_in: ENV.fetch("KRACKEN_TOKEN_TTL", 1.minute).to_i,
         race_condition_ttl: 1.second,
       }.freeze
 
+      @cache = ActiveSupport::Cache.lookup_store(
+        :memory_store,
+        CACHE_TTL_OPTS.merge(size: 5.megabytes),
+      )
+
       # `authenticate_or_request_with_http_token` is a nice Rails helper:
       # http://api.rubyonrails.org/classes/ActionController/HttpAuthentication/Token/ControllerMethods.html#method-i-authenticate_or_request_with_http_token
       def authenticate_user_with_token!

spec/kracken/controllers/token_authenticatable_spec.rb

@@ -65,14 +65,16 @@ def authenticate_or_request_with_http_token(realm = nil)
           }
         }
         let(:cached_token) { "any token" }
-        let(:cache_key) { "auth/token/any token" }
+        let(:cache_key) { "any token" }
 
         before do
           a_controller.request.env = {
             'HTTP_AUTHORIZATION' => "Token token=\"#{cached_token}\""
           }
 
-          Rails.cache.write cache_key, auth_info
+          Controllers::TokenAuthenticatable.store_valid_auth cached_token do
+            auth_info
+          end
           stub_const "Kracken::Authenticator", spy("Kracken::Authenticator")
         end
 
@@ -163,7 +165,9 @@ def authenticate_or_request_with_http_token(realm = nil)
           expect {
             a_controller.authenticate_user_with_token!
           }.not_to change {
-            Rails.cache.exist?("auth/token/#{invalid_token}")
+            Controllers::TokenAuthenticatable.cache.exist?(
+              Controllers::TokenAuthenticatable.auth_cache_key(invalid_token)
+            )
           }.from false
         end
       end
@@ -218,18 +222,28 @@ def authenticate_or_request_with_http_token(realm = nil)
           expect(a_controller.current_team_ids).to be_frozen
         end
 
-        it "sets the auth info as the cache value" do
+        it "sets the auth info, along with a nonce, and HMAC as the cache value" do
           expect {
             a_controller.authenticate_user_with_token!
-          }.to change { Rails.cache.read("auth/token/any token") }.from(nil).to(
-            id: :any_id,
-            team_ids: [:some, :team, :ids],
+          }.to change {
+            Controllers::TokenAuthenticatable.cache.read(
+              Controllers::TokenAuthenticatable.auth_cache_key("any token")
+            )
+          }.from(nil).to(
+            [
+              {
+                id: :any_id,
+                team_ids: [:some, :team, :ids],
+              },
+              be_a(String).and(satisfy { |s| s.size == 64 }),
+              be_a(String).and(satisfy { |s| s.size == 32 }),
+            ]
           )
         end
 
         it "sets the cache expiration to one minute by default" do
-          expect(Rails.cache).to receive(:write).with(
-            "auth/token/any token",
+          expect(Controllers::TokenAuthenticatable.cache).to receive(:write).with(
+            Controllers::TokenAuthenticatable.auth_cache_key("any token"),
             anything,
             include(expires_in: 1.minute),
           )
@@ -241,6 +255,51 @@ def authenticate_or_request_with_http_token(realm = nil)
           a_controller.authenticate_user_with_token!
           expect(a_controller.current_user).to be a_user
         end
+
+        it "treats an HMAC verification failure as a miss" do
+          initial_salt = "salt" * 16
+          initial_hmac = "hmac" * 8
+          cache_key = Controllers::TokenAuthenticatable.auth_cache_key(
+            "any token"
+          )
+          Controllers::TokenAuthenticatable.cache.write(
+            cache_key,
+            [
+              {
+                id: :any_id,
+                team_ids: [:some, :team, :ids],
+              },
+              initial_salt,
+              initial_hmac,
+            ],
+          )
+
+          expect {
+            a_controller.authenticate_user_with_token!
+          }.to change {
+            Controllers::TokenAuthenticatable.cache.read(cache_key)
+          }.from(
+            [
+              {
+                id: :any_id,
+                team_ids: [:some, :team, :ids],
+              },
+              initial_salt,
+              initial_hmac,
+            ],
+          ).to(
+            [
+              {
+                id: :any_id,
+                team_ids: [:some, :team, :ids],
+              },
+              be_a(String).and(satisfy { |s| s.size == 64 && s != initial_salt}),
+              be_a(String).and(satisfy { |s| s.size == 32 && s != initial_hmac}),
+            ]
+          )
+          expect(Authenticator).to have_received(:user_with_token)
+            .with(valid_token)
+        end
       end
     end
   end

spec/support/using_cache.rb

@@ -10,5 +10,7 @@
 
   before do
     Rails.cache.clear
+    Kracken::Controllers::TokenAuthenticatable.cache.clear
+    Kracken::Authenticator.cache.clear
   end
 end