Merge pull request from GHSA-v2wf-c3j6-wpvw

Renew plug session when pow session is rolled
pow-auth · Jan 8, 2020 · 578ffd3 · 578ffd3
2 parents 90d674a + e26ce6a
commit 578ffd3
Show file tree

Hide file tree

Showing 3 changed files with 27 additions and 1 deletion.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -2,13 +2,16 @@
 
 ## v1.0.16 (TBA)
 
+**Note:** This release contains an important security fix.
+
 ### Enhancements
 
 * [`PowPersistentSession.Plug.Cookie`] Now supports `:persistent_session_cookie_opts` to customize any options that will be passed on to `Plug.Conn.put_resp_cookie/4`
 * [`PowResetPassword.Phoenix.ResetPasswordController`] Now uses `PowResetPassword.Phoenix.Messages.maybe_email_has_been_sent/1` with a generic response that tells the user the email has been sent only if an account was found
 * [`PowResetPassword.Phoenix.ResetPasswordController`] When a user doesn't exist will now return success message if `PowEmailConfirmation` extension is enabled
 * [`PowResetPassword.Phoenix.Messages`] Added `PowResetPassword.Phoenix.Messages.maybe_email_has_been_sent/1` and let `PowResetPassword.Phoenix.Messages.email_has_been_sent/1` fall back to it
 * [`PowEmailConfirmation.Phoenix.ControllerCallbacks`] When a user tries to sign up and the email has already been taken the default e-mail confirmation required message will be shown
+* [`Pow.Plug.Session`] Now renews the Plug session each time the Pow session is created or rolled
 
 ### Bug fixes
 

diff --git a/lib/pow/plug/session.ex b/lib/pow/plug/session.ex
@@ -173,6 +173,7 @@ defmodule Pow.Plug.Session do
       |> delete(config)
       |> Conn.put_private(:pow_session_metadata, metadata)
       |> Conn.put_session(session_key, key)
+      |> Conn.configure_session(renew: true)
 
     {conn, user}
   end

diff --git a/test/pow/plug/session_test.exs b/test/pow/plug/session_test.exs
@@ -2,7 +2,7 @@ defmodule Pow.Plug.SessionTest do
   use ExUnit.Case
   doctest Pow.Plug.Session
 
-  alias Plug.Conn
+  alias Plug.{Conn, Test}
   alias Pow.{Plug, Plug.Session, Store.Backend.EtsCache, Store.CredentialsCache}
   alias Pow.Test.{ConnHelpers, Ecto.Users.User, EtsCacheMock}
 
@@ -187,6 +187,28 @@ defmodule Pow.Plug.SessionTest do
       assert metadata[:fingerprint] == new_metadata[:fingerprint]
     end
 
+    test "renews plug session", %{conn: new_conn} do
+      opts = Session.init(@default_opts)
+      conn =
+        new_conn
+        |> Session.call(opts)
+        |> Session.do_create(@user, opts)
+        |> Conn.send_resp(200, "")
+
+      assert %{"foobar" => %{value: plug_session_id}} = conn.resp_cookies
+
+      conn =
+        new_conn
+        |> Test.recycle_cookies(conn)
+        |> Session.call(opts)
+        |> Session.do_create(@user, opts)
+        |> Conn.send_resp(200, "")
+
+      assert %{"foobar" => %{value: new_plug_session_id}} = conn.resp_cookies
+
+      refute plug_session_id == new_plug_session_id
+    end
+
     test "creates with custom metadata", %{conn: conn} do
       inserted_at = :os.system_time(:millisecond) - 10
       opts = Session.init(@default_opts)