Skip to main content

Auth Posture Snapshot (Current Code)

Status: Informational snapshot of current auth behavior and gaps for ASVS L3+ review.

Scope separation

  • Web app auth uses cookie sessions stored in auth_sessions.
    • Cookie name: __Host-evalium_session.
    • Authorization headers are rejected on web UI routes.
  • Login uses magic-link tokens (token delivered via URL, SHA-256 hash stored).
  • Assignment delivery uses invite JWTs (HS256) with hashed token storage; redeem returns a JWT for delivery flows.

What is strong today

  • Server-side sessions with idle + absolute expiry, rotation with overlap, revocation, and cleanup worker.
  • CSRF protections for unsafe methods:
    • Origin/Referer validation.
    • Fetch Metadata checks.
    • Content-Type allowlist.
    • Synchronizer token (X-CSRF-Token) validated server-side.
  • Cookie attributes: HttpOnly, Secure, SameSite=Lax, Path=/, __Host- prefix.
  • Role changes and user deletion revoke sessions.

Gaps / risks (ordered)

  1. No signing key rotation (high)

    • Single SESSION_SECRET (fallback JWT_SECRET), no key ring or kid.
    • Rotating secrets invalidates all sessions and invites immediately.

  2. Magic links and invites use plain SHA-256 hashing (high)

    • Not HMAC/peppered, unlike session tokens.
    • Without HMAC/pepper, DB hash leaks allow offline correlation if raw tokens are also leaked (e.g., logs or email compromise).

  3. No cleanup worker for magic links or invites (medium)

    • Consumed/expired rows persist indefinitely.

  4. TTLs are hard-coded (medium)

    • Magic link TTL: 30m.
    • Invite TTL default: 15m.
    • Session TTLs: 15m idle / 12h absolute.

  5. Assignment redeem returns a JWT (medium)

    • JWT is not revocable per-token without rotating JWT_SECRET.
    • Web API middleware ignores Authorization headers, so this token is only for delivery flows.
    • Confirm TTL and audience/scope claims so it cannot be used as a general web auth token.

  6. Certificate verification tokens are stored in plaintext (medium)

    • UUID token stored in DB; if leaked, usable until expiry.
    • Add dedicated rate limiting and consider hashing for defense-in-depth.

  7. Origin/Host trust depends on proxy headers (low)

    • CSRF origin validation derives origin from Host and X-Forwarded-Proto.
    • Requires correct proxy/header normalization in production.
  • HMAC hash for magic-link and invite tokens (match session token hashing).
  • Cleanup worker for magic links and invites with retention window.
  • Key ring support for session and invite signing secrets (kid, active + previous).
  • Log "magic link issued" events (do not log the token).
  • Move TTLs to config/env to support per-env tuning and incident response without rebuild.
  • Add rate limit or hashed lookup for certificate verification tokens.