feat: introduce v2 refresh token algorithm

Author: hf

internal/api/token_test.go

@@ -435,9 +435,11 @@ func (ts *TokenTestSuite) TestRefreshTokenReuseRevocation() {
 
 	// ensure that the 4 refresh tokens are setup correctly
 	for i, refreshToken := range refreshTokens {
-		_, token, _, err := models.FindUserWithRefreshToken(ts.API.db, refreshToken, false)
+		_, anyToken, _, err := models.FindUserWithRefreshToken(ts.API.db, ts.Config.Security.DBEncryption, refreshToken, false)
 		require.NoError(ts.T(), err)
 
+		token := anyToken.(*models.RefreshToken)
+
 		if i == len(refreshTokens)-1 {
 			require.False(ts.T(), token.Revoked)
 		} else {
@@ -470,9 +472,10 @@ func (ts *TokenTestSuite) TestRefreshTokenReuseRevocation() {
 
 	// ensure that the refresh tokens are marked as revoked in the database
 	for _, refreshToken := range refreshTokens {
-		_, token, _, err := models.FindUserWithRefreshToken(ts.API.db, refreshToken, false)
+		_, anyToken, _, err := models.FindUserWithRefreshToken(ts.API.db, ts.Config.Security.DBEncryption, refreshToken, false)
 		require.NoError(ts.T(), err)
 
+		token := anyToken.(*models.RefreshToken)
 		require.True(ts.T(), token.Revoked)
 	}
 

internal/conf/configuration.go

@@ -723,8 +723,10 @@ func (c *DatabaseEncryptionConfiguration) Validate() error {
 
 type SecurityConfiguration struct {
 	Captcha                               CaptchaConfiguration `json:"captcha"`
+	RefreshTokenAlgorithmVersion          int                  `json:"refresh_token_algorithm_version" split_words:"true"`
 	RefreshTokenRotationEnabled           bool                 `json:"refresh_token_rotation_enabled" split_words:"true" default:"true"`
 	RefreshTokenReuseInterval             int                  `json:"refresh_token_reuse_interval" split_words:"true"`
+	RefreshTokenAllowReuse                bool                 `json:"refresh_token_allow_reuse" split_words:"true"`
 	UpdatePasswordRequireReauthentication bool                 `json:"update_password_require_reauthentication" split_words:"true"`
 	ManualLinkingEnabled                  bool                 `json:"manual_linking_enabled" split_words:"true" default:"false"`
 

internal/crypto/crypto.go

@@ -29,6 +29,7 @@ func GenerateOtp(digits int) string {
 
 	return otp
 }
+
 func GenerateTokenHash(emailOrPhone, otp string) string {
 	return fmt.Sprintf("%x", sha256.Sum224([]byte(emailOrPhone+otp)))
 }

internal/crypto/refresh_tokens.go

@@ -0,0 +1,146 @@
+package crypto
+
+import (
+	"crypto/hmac"
+	"crypto/rand"
+	"crypto/sha256"
+	"crypto/subtle"
+	"encoding/base64"
+	"encoding/binary"
+	"errors"
+	"math"
+
+	"github.com/gofrs/uuid"
+)
+
+func GenerateRefreshTokenHmacKey() []byte {
+	key := make([]byte, 32)
+	must(rand.Read(key))
+
+	return key
+}
+
+const refreshTokenChecksumLength = 4
+const refreshTokenSignatureLength = 16
+const minRefreshTokenLength = 1 + 16 + 1 + refreshTokenSignatureLength + refreshTokenChecksumLength
+const maxRefreshTokenLength = minRefreshTokenLength + 8
+
+// RefreshToken is an object that encodes a cryptographically authenticated
+// (signed) message containing a version, session ID and monotonically
+// increasing non-negative counter.
+//
+// The signature is a truncated (first 128 bits) of HMAC-SHA-256, which saves
+// on encoded length without sacrificing security. The checksum of 4 bytes at
+// the end is to lessen the load on the server with invalid strings (those that
+// are not likely to be a proper refresh token).
+type RefreshToken struct {
+	Raw []byte
+
+	Version   byte
+	SessionID uuid.UUID
+	Counter   int64
+	Signature []byte
+}
+
+func (RefreshToken) TableName() string {
+	panic("crypto.RefreshToken is not meant to be saved in the database")
+}
+
+func (r *RefreshToken) CheckSignature(hmacSha256Key []byte) bool {
+	bytes := r.Raw[:len(r.Raw)-refreshTokenSignatureLength-refreshTokenChecksumLength]
+
+	h := hmac.New(sha256.New, hmacSha256Key)
+	h.Write(bytes)
+	signature := h.Sum(nil)[:refreshTokenSignatureLength]
+
+	return hmac.Equal(signature, r.Signature)
+}
+
+func (r *RefreshToken) Encode(hmacSha256Key []byte) string {
+	result := make([]byte, 0, maxRefreshTokenLength)
+
+	result = append(result, 0)
+	result = append(result, r.SessionID.Bytes()...)
+	result = binary.AppendUvarint(result, uint64(r.Counter))
+
+	// Note on truncating the HMAC-SHA-256 output:
+	// This does not impact security as the brute-force space is 2^128 and
+	// the collision space is 2^64, both unattainable in practice.
+
+	h := hmac.New(sha256.New, hmacSha256Key)
+	h.Write(result)
+	signature := h.Sum(nil)[:refreshTokenSignatureLength]
+
+	result = append(result, signature...)
+
+	checksum := sha256.Sum256(result)
+	result = append(result, checksum[:refreshTokenChecksumLength]...)
+
+	r.Version = 0
+	r.Raw = result
+	r.Signature = signature
+
+	return base64.RawURLEncoding.EncodeToString(result)
+}
+
+var (
+	ErrRefreshTokenLength          = errors.New("crypto: refresh token length is not valid")
+	ErrRefreshTokenUnknownVersion  = errors.New("crypto: refresh token version is not 0")
+	ErrRefreshTokenChecksumInvalid = errors.New("crypto: refresh token checksum is not valid")
+	ErrRefreshTokenCounterInvalid  = errors.New("crypto: refresh token's counter is not valid")
+)
+
+func ParseRefreshToken(token string) (*RefreshToken, error) {
+	bytes, err := base64.RawURLEncoding.DecodeString(token)
+	if err != nil {
+		return nil, err
+	}
+
+	if len(bytes) < minRefreshTokenLength {
+		return nil, ErrRefreshTokenLength
+	}
+
+	if bytes[0] != 0 {
+		return nil, ErrRefreshTokenUnknownVersion
+	}
+
+	parseFrom := bytes[1 : len(bytes)-refreshTokenChecksumLength]
+
+	checksum256 := sha256.Sum256(bytes[:len(bytes)-refreshTokenChecksumLength])
+	if subtle.ConstantTimeCompare(checksum256[:refreshTokenChecksumLength], bytes[len(bytes)-refreshTokenChecksumLength:]) != 1 {
+		return nil, ErrRefreshTokenChecksumInvalid
+	}
+
+	sessionID, err := uuid.FromBytes(parseFrom[0:16])
+	if err != nil {
+		return nil, err
+	}
+
+	parseFrom = parseFrom[16:]
+
+	counter, counterBytes := binary.Uvarint(parseFrom)
+	if counterBytes <= 0 {
+		return nil, ErrRefreshTokenCounterInvalid
+	}
+
+	if counter > math.MaxInt64 {
+		return nil, ErrRefreshTokenCounterInvalid
+	}
+
+	parseFrom = parseFrom[counterBytes:]
+
+	if len(parseFrom) != 16 {
+		return nil, ErrRefreshTokenLength
+	}
+
+	signature := parseFrom
+
+	return &RefreshToken{
+		Raw: bytes,
+
+		Version:   0,
+		SessionID: sessionID,
+		Counter:   int64(counter),
+		Signature: signature,
+	}, nil
+}

internal/crypto/refresh_tokens_test.go

@@ -0,0 +1,86 @@
+package crypto
+
+import (
+	"crypto/sha256"
+	"encoding/base64"
+	"fmt"
+	"strings"
+	"testing"
+
+	"github.com/gofrs/uuid"
+	"github.com/stretchr/testify/require"
+)
+
+func TestRefreshTokenParse(t *testing.T) {
+	negativeExamples := []struct {
+		value []byte
+		error error
+	}{
+		{
+			value: make([]byte, minRefreshTokenLength-1),
+			error: ErrRefreshTokenLength,
+		},
+		{
+			value: make([]byte, minRefreshTokenLength),
+			error: ErrRefreshTokenChecksumInvalid,
+		},
+		{
+			value: func() []byte {
+				b := make([]byte, minRefreshTokenLength)
+				b[0] = 1
+				return b
+			}(),
+			error: ErrRefreshTokenUnknownVersion,
+		},
+		{
+			value: func() []byte {
+				b := make([]byte, minRefreshTokenLength)
+				for i := 1 + 16; i < len(b); i += 1 {
+					b[i] = 0xFF
+				}
+
+				checksum := sha256.Sum256(b[:len(b)-refreshTokenChecksumLength])
+				copy(b[len(b)-refreshTokenChecksumLength:], checksum[:refreshTokenChecksumLength])
+				return b
+			}(),
+			error: ErrRefreshTokenCounterInvalid,
+		},
+		{
+			value: func() []byte {
+				b := make([]byte, minRefreshTokenLength)
+				b[1+16] = 0xFF
+				b[1+16+1] = 0
+
+				checksum := sha256.Sum256(b[:len(b)-refreshTokenChecksumLength])
+				copy(b[len(b)-refreshTokenChecksumLength:], checksum[:refreshTokenChecksumLength])
+				return b
+			}(),
+			error: ErrRefreshTokenLength,
+		},
+	}
+
+	for i, example := range negativeExamples {
+		t.Run(fmt.Sprintf("negative example %d", i), func(t *testing.T) {
+			rt, err := ParseRefreshToken(base64.RawURLEncoding.EncodeToString(example.value))
+			require.Nil(t, rt)
+			require.Error(t, err)
+			require.Equal(t, err, example.error)
+		})
+	}
+
+	rt, err := ParseRefreshToken(strings.Repeat("!", (4*minRefreshTokenLength)/3))
+	require.Nil(t, rt)
+	require.Error(t, err)
+
+	original := &RefreshToken{
+		SessionID: uuid.Must(uuid.NewV4()),
+		Counter:   9223372036854775807,
+	}
+
+	parsed, err := ParseRefreshToken(original.Encode(make([]byte, 32)))
+	require.Nil(t, err)
+	require.Equal(t, original.SessionID.String(), parsed.SessionID.String())
+	require.Equal(t, original.Counter, parsed.Counter)
+	require.Equal(t, original.Raw, parsed.Raw)
+	require.Equal(t, original.Signature, parsed.Signature)
+}

internal/models/refresh_token.go

@@ -2,6 +2,7 @@ package models
 
 import (
 	"database/sql"
+	"encoding/base64"
 	"net/http"
 	"time"
 
@@ -118,6 +119,50 @@ func FindTokenBySessionID(tx *storage.Connection, sessionId *uuid.UUID) (*Refres
 	return refreshToken, nil
 }
 
+func (s *Session) ApplyGrantParams(params *GrantParams) {
+	s.FactorID = params.FactorID
+
+	if params.SessionNotAfter != nil {
+		s.NotAfter = params.SessionNotAfter
+	}
+
+	if params.UserAgent != "" {
+		s.UserAgent = &params.UserAgent
+	}
+
+	if params.IP != "" {
+		s.IP = &params.IP
+	}
+
+	if params.SessionTag != nil && *params.SessionTag != "" {
+		s.Tag = params.SessionTag
+	}
+
+	if params.OAuthClientID != nil && *params.OAuthClientID != uuid.Nil {
+		s.OAuthClientID = params.OAuthClientID
+	}
+}
+
+func (s *Session) SetupRefreshTokenData(dbEncryption conf.DatabaseEncryptionConfiguration) error {
+	hmacKey := base64.RawURLEncoding.EncodeToString(crypto.GenerateRefreshTokenHmacKey())
+
+	if dbEncryption.Encrypt {
+		es, err := crypto.NewEncryptedString(s.ID.String(), []byte(hmacKey), dbEncryption.EncryptionKeyID, dbEncryption.EncryptionKey)
+		if err != nil {
+			return err
+		}
+
+		hmacKey = es.String()
+	}
+
+	counter := int64(0)
+
+	s.RefreshTokenHmacKey = &hmacKey
+	s.RefreshTokenCounter = &counter
+
+	return nil
+}
+
 func createRefreshToken(tx *storage.Connection, user *User, oldToken *RefreshToken, params *GrantParams) (*RefreshToken, error) {
 	token := &RefreshToken{
 		UserID: user.ID,
@@ -135,25 +180,7 @@ func createRefreshToken(tx *storage.Connection, user *User, oldToken *RefreshTok
 			return nil, errors.Wrap(err, "error instantiating new session object")
 		}
 
-		if params.SessionNotAfter != nil {
-			session.NotAfter = params.SessionNotAfter
-		}
-
-		if params.UserAgent != "" {
-			session.UserAgent = &params.UserAgent
-		}
-
-		if params.IP != "" {
-			session.IP = &params.IP
-		}
-
-		if params.SessionTag != nil && *params.SessionTag != "" {
-			session.Tag = params.SessionTag
-		}
-
-		if params.OAuthClientID != nil && *params.OAuthClientID != uuid.Nil {
-			session.OAuthClientID = params.OAuthClientID
-		}
+		session.ApplyGrantParams(params)
 
 		if err := tx.Create(session); err != nil {
 			return nil, errors.Wrap(err, "error creating new session")

internal/models/refresh_token_test.go

@@ -54,9 +54,11 @@ func (ts *RefreshTokenTestSuite) TestGrantRefreshTokenSwap() {
 	s, err := GrantRefreshTokenSwap(ts.config.AuditLog, &http.Request{}, ts.db, u, r)
 	require.NoError(ts.T(), err)
 
-	_, nr, _, err := FindUserWithRefreshToken(ts.db, r.Token, false)
+	_, anyNR, _, err := FindUserWithRefreshToken(ts.db, ts.config.Security.DBEncryption, r.Token, false)
 	require.NoError(ts.T(), err)
 
+	nr := anyNR.(*RefreshToken)
+
 	require.Equal(ts.T(), r.ID, nr.ID)
 	require.True(ts.T(), nr.Revoked, "expected old token to be revoked")
 
@@ -69,9 +71,11 @@ func (ts *RefreshTokenTestSuite) TestLogout() {
 	r, err := GrantAuthenticatedUser(ts.db, u, GrantParams{})
 	require.NoError(ts.T(), err)
 
+	var anyR any
+
 	require.NoError(ts.T(), Logout(ts.db, u.ID))
-	u, r, _, err = FindUserWithRefreshToken(ts.db, r.Token, false)
-	require.Errorf(ts.T(), err, "expected error when there are no refresh tokens to authenticate. user: %v token: %v", u, r)
+	u, anyR, _, err = FindUserWithRefreshToken(ts.db, ts.config.Security.DBEncryption, r.Token, false)
+	require.Errorf(ts.T(), err, "expected error when there are no refresh tokens to authenticate. user: %v token: %v", u, anyR)
 
 	require.True(ts.T(), IsNotFoundError(err), "expected NotFoundError")
 }