Enhancement: HMAC Verification doesn't utilise timestamp to prevent spoofing #5479
Labels
need-discussion
These issues don't have a clear direction, and it requires deeper discussion to finalize
product
Issues related to the product
Is your enhancement request related to a problem? Please describe.
Presently the verification token is generated using an HMAC of the user's identifier and the User Identity Validation key. The problem with this is it's the same every time, meaning it can be copied and used to "spoof" the user elsewhere, and can end up making it easier to calculate what the validation key is.
Describe the solution you'd like
Ideally the verification token would be time limited, and hashed differently every time to prevent this occurring. The easiest way to achieve this is for the website to include the timestamp in the parameters, along with hashing the timestamp in the HMAC (id + validation key + timestamp)
The server can then verify the timestamp is a valid time range, and can also validate the token sent through (by including the timestamp in the HMAC to compare).
Describe alternatives you've considered
Using a NONCE retrieved from the server is an alternative, but cumbersome compared to the timestamp approach.
Additional context
Identity validation in Chatwoot
AWS approach to HMAC utilising timestamps to salt and verify the HMAC
The text was updated successfully, but these errors were encountered: