LivingAi
/
auth
6
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
auth/JWT_SECURITY_AUDIT.md

6.1 KiB
Raw Blame History

JWT & Refresh Token Security Audit

Security Engineer Review

SECURE IMPLEMENTATIONS

1. Token Storage (Android)

  • Status: SECURE
  • Implementation: Uses EncryptedSharedPreferences with AES256_GCM encryption
  • Location: TokenManager.kt
  • Details:
    • MasterKey with AES256_GCM scheme
    • PrefKeyEncryptionScheme: AES256_SIV
    • PrefValueEncryptionScheme: AES256_GCM
    • Tokens never stored in plain text
    • Tokens cleared on logout

2. Refresh Token Rotation

  • Status: SECURE
  • Implementation: Refresh tokens rotate on each refresh
  • Location: tokenService.js - rotateRefreshToken()
  • Details:
    • Old refresh token is revoked before issuing new one
    • New refresh token has new token_id (JTI)
    • Prevents token reuse attacks
    • Tracks rotation chain via rotated_from_id

3. Token Reuse Detection

  • Status: SECURE
  • Implementation: Detects and handles refresh token reuse
  • Location: tokenService.js - handleReuse()
  • Details:
    • If same refresh token used twice, all device tokens revoked
    • reuse_detected_at timestamp recorded
    • Prevents replay attacks

4. Token Versioning (Global Logout)

  • Status: SECURE
  • Implementation: Token version incremented on logout-all-devices
  • Location: authMiddleware.js - validates token_version
  • Details:
    • Each user has token_version in database
    • Tokens include token_version in payload
    • If version mismatch, token rejected
    • Allows global logout functionality

5. Idle Timeout

  • Status: SECURE
  • Implementation: Refresh tokens expire after 3 days of inactivity
  • Location: tokenService.js - verifyRefreshToken()
  • Details:
    • REFRESH_MAX_IDLE_MINUTES = 4320 (3 days)
    • Prevents long-lived abandoned sessions
    • Automatic cleanup of stale tokens

6. Device Binding

  • Status: SECURE
  • Implementation: Refresh tokens bound to device_id
  • Location: tokenService.js - verifyRefreshToken()
  • Details:
    • Token must match user_id AND device_id
    • Prevents token theft across devices
    • Device ID sanitized and validated

7. Token Hashing

  • Status: SECURE
  • Implementation: Refresh tokens hashed with bcrypt before storage
  • Location: tokenService.js - storeRefreshToken()
  • Details:
    • Tokens never stored in plain text in database
    • bcrypt.compare() used for verification
    • Even if database compromised, tokens not directly usable

8. JWT Claims Validation

  • Status: SECURE
  • Implementation: Validates JWT claims (iss, aud, exp, iat, nbf)
  • Location: authMiddleware.js - validateTokenClaims()
  • Details:
    • Prevents token manipulation
    • Ensures tokens are within valid time window
    • Validates issuer and audience

9. Access Token Short Lifetime

  • Status: SECURE
  • Implementation: Access tokens expire in 15 minutes
  • Location: tokenService.js - signAccessToken()
  • Details:
    • Limits exposure window if token stolen
    • Forces frequent refresh
    • Reduces impact of token leakage

⚠️ POTENTIAL ISSUES & RECOMMENDATIONS

1. Auto-Login on App Restart

  • Status: ⚠️ FIXED
  • Issue: User wasn't automatically logged in when reopening app
  • Root Cause:
    • MainViewModel tried to validate tokens but didn't handle expired access tokens properly
    • Ktor's auto-refresh might not trigger on initial app startup
  • Fix Applied:
    • Improved validateTokens() to try getUserDetails first (uses Ktor auto-refresh)
    • Falls back to manual refresh if auto-refresh doesn't work
    • Better error handling and token validation flow

2. Token Refresh on Startup

  • Status: IMPROVED
  • Implementation: Now properly handles token refresh on app startup
  • Flow:
    1. Check if tokens exist
    2. Try to fetch user details (triggers Ktor auto-refresh if needed)
    3. If that fails, manually refresh token
    4. If refresh fails, clear tokens and logout

3. Network Error Handling

  • Status: GOOD
  • Implementation: Proper error handling for network failures
  • Details:
    • Distinguishes between token expiration and network errors
    • Only clears tokens on authentication failures
    • Network errors don't force logout

🔒 SECURITY BEST PRACTICES FOLLOWED

  1. Encrypted Storage: Tokens stored in EncryptedSharedPreferences
  2. Token Rotation: Refresh tokens rotate on each use
  3. Reuse Detection: Detects and prevents token reuse
  4. Short Access Token Lifetime: 15 minutes
  5. Idle Timeout: 3 days of inactivity
  6. Device Binding: Tokens bound to specific device
  7. Token Hashing: Refresh tokens hashed in database
  8. Global Logout: Token versioning enables logout-all-devices
  9. Claims Validation: JWT claims properly validated
  10. Secure Transmission: Tokens sent in Authorization header (HTTPS required in production)

📋 RECOMMENDATIONS FOR PRODUCTION

  1. HTTPS Enforcement:

    • Ensure all API calls use HTTPS
    • Implement certificate pinning for additional security

  2. Token Expiration Monitoring:

    • Log token refresh events for security monitoring
    • Alert on suspicious refresh patterns

  3. Rate Limiting:

    • Already implemented on backend
    • Monitor for abuse

  4. Biometric Authentication (Future Enhancement):

    • Consider adding biometric unlock for sensitive operations
    • Store tokens behind biometric lock

  5. Token Refresh Retry Logic:

    • Current implementation handles retries well
    • Consider exponential backoff for network failures

🎯 SUMMARY

Overall Security Rating: SECURE

The JWT and refresh token implementation follows security best practices:

  • Secure storage (encrypted)
  • Token rotation
  • Reuse detection
  • Short access token lifetime
  • Device binding
  • Global logout capability

Auto-Login Issue: FIXED

  • Improved token validation flow
  • Better handling of expired tokens on app startup
  • Fallback mechanisms for token refresh

The implementation is production-ready from a security perspective. The main issue (auto-login) has been resolved.