Ash Authentication Token Revocation Vulnerability in Elixir Applications

A vulnerability exists in the Ash Authentication framework for Elixir applications, specifically in versions 4.1.0 and later. The issue arises in applications that have been set up with the igniter installer and use the magic link strategy, password resets, or the confirmation add-on. Revoked tokens are incorrectly allowed to verify as valid, leading to potential misuse. By default, magic link tokens are valid for 10 minutes, while password reset and confirmation tokens are valid for 3 days. The vulnerability is not present in applications that did not use the new installer or those that have implemented a custom token revocation feature.

Impact

The vulnerability allows revoked tokens to be reused until they expire, instead of being immediately invalidated. This means that magic link tokens can be used multiple times within their 10-minute validity period, and password reset and confirmation tokens can be used until they expire, rather than being revoked right away.

Reproduction

To reproduce this vulnerability, create an Elixir application using the Ash Authentication framework version 4.1.0 or later, and set it up with the igniter installer. Enable the magic link strategy, password resets, or the confirmation add-on. Then, generate a token using one of these strategies and observe that revoked tokens are still accepted as valid.

Remediation

Users can upgrade to Ash Authentication version 4.4.9, which includes the necessary patch. After upgrading, run the command 'mix ash_authentication.upgrade' to apply the patch. Alternatively, users can manually adjust the 'revoked?' action in their token resource to use the internal version that has always been correct.