Updating a _users doc with same password does not invalidate sessions for that user

[gr2m]

I'm actually not sure if this is an express-pouchdb or a CouchDB bug, I'll file a bug with CouchDB, too.

To reproduce

1. Create a users doc
2. In a different browser, sign in with the new account
3. Update the users doc with "password": "<current password here>"
4. Reload the other browser, the user is still signed in in PouchDB server, but signed out when tested in CouchDB

[rnewson]

The salt value is included in the session cookie (and verified when querying), so that's by design. We want session cookies derived from the old password to be invalidated

[gr2m]

@rnewson thanks a lot Robert! Could you point us to where it's implemented in CouchDB?

I think we need the same implementation here: https://github.com/pouchdb/express-pouchdb/blob/master/lib/routes/session.js#L18-L37

I don't know where the validation of the AuthSession cookie is currently happening in express-pouchdb. I guess we would need to adjust the implementation there as well. Can you point us to the right place for that @marten-de-vries

[marten-de-vries]

It's happening here: https://github.com/pouchdb/express-pouchdb/blob/master/lib/routes/authentication.js#L91

Other relevant code is in https://github.com/pouchdb/pouchdb-auth/blob/master/index.js ; The good news is that the test suite for that module has been completely ported, making the chance of breaking something incidentally quite a bit smaller.

[nolanlawson]

Just talked with @gr2m; seems the best fix for this would be to remove the session database entirely and move to a model more like CouchDB's; where the cookie hash is determined by a combination of the password hash and salt, and the salt changes every time you update the user document's password, which automatically invalidates the cookie, so there's no need for a separate session database.

[gr2m]

@rnewson could you point us to where CouchDB is implementing the calculation of AuthSession?

[gr2m]

Is it this one here: https://github.com/apache/couchdb-couch/blob/master/src/couch_httpd_auth.erl#L266-L271

[marten-de-vries]

Sorry, only now catching up with this. It took me some reading through the CouchDB code to actually grasp what's going on, but I think their approach should be fine for pouchdb-auth too. It would require some small API changes (so be version 2.0), mostly in that the API will provide the initial session id ('cookie'), not the consumer. I'm planning to try to make a proof of concept tomorrow.

[gr2m]

maybe this will help: https://github.com/hoodiehq/couchdb-calculate-session-id

[marten-de-vries]

Thanks @gr2m, that certainly helped. Would you accept a PR that uses a bit more lightweight crypto implementation than browserify-crypto in the browser?

I have a first version of the 'new' pouchdb-auth that again passes most of the old test suite. It needs more testing first, but I hope to open a PR sometime soon.

[gr2m]

nice!

Note that we landed a fix in https://github.com/hoodiehq/couchdb-calculate-session-id yesterday:
hoodiehq/couchdb-calculate-session-id#7

PR away!

I’d also like to change order of arguments, which would be a breaking change: hoodiehq/couchdb-calculate-session-id#6 – any thoughts on this?

[marten-de-vries]

Ok, so a first version is online. See #272 for the PR, and pouchdb/pouchdb-auth#4 for the real implementation changes. If anyone wants to look it over, I'd love the feedback. Even if it's just checking if pouchdb-auth's new API makes sense before releasing 2.0 (README.md has been updated). No hurry though, I want to sleep a bit on this myself before pushing. Also, performance still needs to be checked. It might have degraded significantly and that's bad as it's part of PouchDB's test suite.

[nolanlawson]

fixed by ef495aa, thanks @marten-de-vries !