Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Checkout UI] Cannot prevent replay attacks with cached session tokens #1801

Open
masonmcelvain opened this issue Mar 4, 2024 · 2 comments
Labels

Comments

@masonmcelvain
Copy link

masonmcelvain commented Mar 4, 2024

Please list the package(s) involved in the issue, and include the version you are using

@shopify/[email protected]

Describe the bug

useSessionToken produces a SessionToken. SessionToken.get() is annotated with the following note:

export interface SessionToken {
/**
* Requests a session token that hasn't expired. You should call this method every
* time you need to make a request to your backend in order to get a valid token.
* This method will return cached tokens when possible, so you don’t need to worry
* about storing these tokens yourself.
*/
get(): Promise<string>;
}

Also, SessionToken.jti is described as "A unique identifier (a nonce) to prevent replay attacks".

In order to effectively use SessionToken.jti to prevent replay attacks, my backend server should reject requests that include session tokens that have already been sent. This requires my checkout extension frontend to send a new session token for each request to my backend server.

However, I cannot generate a new session token for each request because SessionToken.get() returns cached tokens. Therefore my backend server thinks that subsequent requests from the frontend are replay attacks, and rejects the requests.

Steps to reproduce the behavior:

  1. Generate a session token with SessionToken.get().
  2. Send the token to your backend server in the Authorization header.
  3. Try to generate a new session token with SessionToken.get(). You should end up with the same session token as before.
  4. Sending the token to your backend server will be rejected as a replay attack.

Expected behavior

SessionToken.get() should not cache tokens. Instead, each call to SessionToken.get() should return a new token.

@masonmcelvain masonmcelvain added the bug Something isn't working label Mar 4, 2024
@sjanczy2 sjanczy2 added enhancement New feature or request and removed bug Something isn't working labels Apr 1, 2024
@jarthorn
Copy link

jarthorn commented Sep 3, 2024

This is an enhancement request rather than a bug, since the system is workign as documented. Removing from product support board.

@masonmcelvain
Copy link
Author

Reposted in the Shopify community form as requested in #2521

https://community.shopify.dev/t/cannot-prevent-replay-attacks-with-cached-session-tokens/4347

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

No branches or pull requests

5 participants