lundberg/porchlight
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

fix(security): reset session on login to prevent fixation

Browse source 
Both password and WebAuthn login wrote the authenticated identity onto the
existing pre-auth session, so a fixed/planted session could be elevated to an
authenticated one. Add _establish_authenticated_session() which clears the
session (preserving only a pending OIDC authorization request) before setting
the identity, used by both login paths.

Tests that reused a pre-login CSRF token now re-fetch it after login, matching
real client behavior.

Refs: porchlight-vxr

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This commit is contained in:
Johan Lundberg 2026-06-04 14:23:08 +02:00
parent 7c4dbf2cd9
commit 407db57279
No known key found for this signature in database
GPG key ID: A6C152738D03C7D1
5 changed files with 65 additions and 6 deletions
Download patch file Download diff file Expand all files Collapse all files

3
tests/test_admin_invite_validation.py
View file

@ -32,7 +32,8 @@ async def _login_admin(client: AsyncClient) -> str:
data={"username": "admin", "password": "AdminPass123!"},
headers={"HX-Request": "true", "X-CSRF-Token": token},
)
return token
# Login resets the session (fixation defense); fetch a fresh CSRF token.
return await get_csrf_token(client)
@pytest.mark.asyncio