SquadStatsJSPRO icon indicating copy to clipboard operation
SquadStatsJSPRO copied to clipboard
verified publisher icon LeventHAN

[BUG] - Passport 0.4.1 Regenerates Session instead of closing it on logout leading to risk to discord / steam logins in shared environments.

Open DrKittens opened this issue 2 years ago • 0 comments

Describe the bug This project's package.json looks for passport compatible with 0.4.1 This is a hard dependancy as passport versions > 0.6.0 cause auth failure during discord oauth handover to steam oauth preventing login.

This is problematic because there is a session regeneration fault present in passport 0.4.1, meaning that if a user were to use a shared computer, such as an internet cafe pc, to authenticate with the website, logout of the site AND close the tab, as long as the browser in its entirety was not closed (cookies / session tokens cleared) an attacker would still be able to visit the hosted dashboard, click login and connect as their discord account && steam account without providing credentials or going through 2FA even though the previous user "logged out".

ref: https://www.npmjs.com/advisories/1081673 ref: https://github.com/advisories/GHSA-v923-w3x8-wh69

This fault is fixed in passport 0.6.0+ which does not function with the current dashboard implementation.

To Reproduce Steps to reproduce the behavior:

  1. Navigate to the dashboard website
  2. Authenticate with discord and steam providing MFA when prompted
  3. Logout of the dashboard application
  4. Close the browser tab
  5. navigate back to the dashboard application
  6. Click login
  7. Click continue and successfully authenticate without 2FA.

Expected behavior Logging out to actually logout the session and not allow for it be regenerated.

Screenshots If applicable, add screenshots to help explain your problem.

Server(please complete the following information):

  • OS: RHEL
  • Version: 9
  • NodeJS version: v18.12.1
  • NPM version: v8.19.2

Additional context

Logging for posterity as more of a "wishlist" to fix so npm/yarn audit stops nagging about it.

Not the most critical problem as complex remote attacks require MiTM / malice from the hosting provider or the user to share a computer user profile and not logout when finished with their session.

DrKittens avatar Jan 12 '23 04:01 DrKittens