auth_key is not guaranteed to be unique
zmoddynamics opened this issue · comments
Hello, thank you for creating this extension. In reviewing the code I see that you implement findIdentityByAccessToken in the BaseUser class.
php
// /users/models/BaseUser.php
/**
* @param mixed $token
* @param mixed $type
* @return yii\db\ActiveRecord
*/
public static function findIdentityByAccessToken($token, $type = null)
{
return static::findOne(['auth_key' => $token, 'status' => self::STATUS_ACTIVE]);
}
I assume auth_key column in the user table is meant to be used for authorization (ie. when making rest API calls to the api module). Is that the intended use ? If so, what are your thoughts on the non-uniqueness of this parameter? It appears to be generated using:
php
// /users/models/BaseUser.php
/**
* Generates "remember me" authentication key
* @throws Exception
*/
public function generateAuthKey()
{
/** @var yii\base\Security $security */
$security = Yii::$app->security;
$this->auth_key = $security->generateRandomString();
}
Although it is unlikely, my understanding is generateRandomString() is not guaranteed to be unique and thus may present a security risk (albeit it a small one). Curious as to your thoughts?
Hello! Yes, generating a not unique value is unlikely, but to ensure that it will be unique, in the rules of the User model, define attribute values as unique.
It is also possible to create a function that checks the model attribute for uniqueness, if the generated value is not unique, generate another, until get a unique value.
Yes. I would implement both approaches you suggest for completeness. The problem with just implementing it in dB schema and rules is that it may cause validation error or database error if it is not unique when you attempt the insert. By defining a function to continuously regenerate until the fields are unique you avoid that issue.
Added method generateUniqueRandomString() in BaseUser
yii2-advanced-start/modules/users/models/BaseUser.php
Lines 116 to 131 in a1263fa
How would you suggest I update my project to reflect these changes? composer update doesn't seem to do anything
That's right, because the project was installed as a project and not an extension.
Change the following points yourself:
yii2-advanced-start/modules/users/models/BaseUser.php
Lines 91 to 98 in a1263fa
yii2-advanced-start/modules/users/models/BaseUser.php
Lines 100 to 107 in a1263fa
yii2-advanced-start/modules/users/models/BaseUser.php
Lines 109 to 131 in a1263fa
In order not to change it yourself, you need to fork my project into your repository, install a project for yourself from your repository, and get the latest updates from my repository for your own, then use git to update your project on the local machine.
See more: https://help.github.com/en/github/getting-started-with-github/fork-a-repo