Goals of our design
1) Once a user signs in using a credential, we want them to be able to stay signed in indefinitely. This holds true even if the client returns outside of any time window we might anticipate. To reauthenticate, we've been issuing a token for the purpose of re-acquiring a session when the user loses it.
2) We don't want the reauthentication token stored in plaintext on the server, since it is effectively a password.
3) The reauthentication token can be lost in transit back to the client, along with the session being returned. When this happens the client is in a "failed reauthentication" state and these improvements are primarily designed to ensure the client can recover from this state.
When a reauthentication request succeeds, but the client fails to get back the session, we create a new reauth token and store the old token in Redis. While the client can recover by resending the old reauth token, and they will get the session, the session we send back does not include the new reauth token (we don't have it due to #2 above). We just return the old token in the session. As a result, at some point, that user will still have to authenticate when the cached reauthentication token expires from cache.
The proposed design would fix this.
Signing in
When an user signs in and receives a session, we create and persist a new session token/reauth token pair in the AccountSecret table. (The reauth token is hashed in the table.) We do not remove older session token/reauth token records from the table.
Reauthentication
When the session token is expired, the client can send a reauth token via the reauth API. We retrieve the N most recent records for that user by their creation date (probably N=2 but could be N=3 if this is more robust), hash the token by the algorithm in each record, and compare to the hashed records looking for a match. (Do this intelligently: cache the hash by algorithm and reuse it since the algorithm is unlikely to change between reauthentications.) If there's a match, we treat this like a sign in: we generate and persist a new session token/reauth token pair, and return a new session with these new tokens. We should invalidate existing session tokens, if any (the client in theory doesn't reauthenticate when they have a valid session token but even if they do, we should cover this case). If the reauthentication fails, even on return, the previous token continues to work, because we're comparing against older records as well.
Thus, the tokens are rotated by successful reauthentication attempts, not by an expiration time.
Successful reauthentication
- the user signs in, we create a session token and reauth token, create a new record in the secrets table that includes the reauth token hashed, and we return the session token and reauth token as part of the new session.
- Redis expires the session after 12 hours, which renders the session token unusable. The client, on getting a 401, makes a request to the reauthentication API with the reauth token;
- we load the most recent N records from the secrets table. Proceeding through each record:
- we hash the reauth token according to the algorithm in the record, OR reuse a cached version of the hash;
- if the hash does not match, proceed to the next recorrd
- if no records match, return a 401
- if the record matches, we remove the current session if it's there, then we create a new session token and reauth token, create a new record in the secrets table that includes the reauth token hashed, and we return the session token and reauth token as part of the new session. This means the oldest record in the secrets table will "drop off" on future queries to load the most recent N records from the secrets table
User reauths, fails to receive the session, and reauths again with the same token
Let's assume in the worst case that the client does not get the session back from the reauthentication call.
- the client makes the same request with the (now old) reauth token;
- we load the most recent N records from the secrets table. It includes the old token, now the second oldest record in the system, and so reauthentication succeeds, as above.
- again a new session is created, a new table record is created, and a session is returned to the user. We can recover from this failure as many times as we want to configure, so if N=3, we can fail 2 times and recover the third time. If that's not robust enough, we can switch to N=4 or higher.
Sign out
In addition to deleting the session and session token, we can delete all AccountSecret records for this user.
Persistence
I would add this table, along with a DAO to manage writes to it. Possible names: AccountCredential, AccountSecret, AccountToken, Account(Secret)Key... this table could eventually hold other credentials, like passwords or API keys, so I would keep the nomenclature more general.
CREATE TABLE `AccountSecret` (
`userId` VARCHAR(255) NOT NULL,
`algorithm` ENUM('STORMPATH_HMAC_SHA_256', 'BCRYPT', 'PBKDF2_HMAC_SHA_256') NOT NULL,
`hash` VARCHAR(255) NOT NULL,
`createdOn` BIGINT NOT NULL,
`sessionToken` VARCHAR(255) NOT NULL, # maybe... not sure we'll ever need to know the pairing
`type` ENUM('REAUTH_TOKEN') DEFAULT 'REAUTH_TOKEN'
);
Migration
For some amount of time we'll need to read and incorporate the existing reauth token in the Accounts table into the records we load from this new table, and persist back to this new table. Once this is deployed, we can migrate the tokens out of the Accounts table, then remove the 3 columns from Accounts.
We could eventually migrate passwords out this way as well, if it's ever useful.