fix(security): store only a hash of magic-link tokens

Magic-link tokens were persisted in plaintext, so a database read disclosed usable login/invite tokens. The service now hashes tokens (HMAC-SHA256 when a pepper is configured, else SHA-256 of the high-entropy token) and persists only the hash; the raw token is exposed solely in the registration URL and is re-attached to objects returned to callers. Refs: porchlight-42h Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-06-04 10:36:18 +02:00 · 2026-06-04 10:36:18 +02:00 · 91a2277664
commit 91a2277664
parent cdde3e3754
3 changed files with 65 additions and 62 deletions
--- a/tests/test_auth_routes/test_register_magic_link.py
+++ b/tests/test_auth_routes/test_register_magic_link.py
@ -1,8 +1,7 @@
-from datetime import UTC, datetime, timedelta
-
 from httpx import AsyncClient

-from porchlight.models import MagicLink, User
+from porchlight.invite.service import MagicLinkService
+from porchlight.models import User


 async def test_register_invalid_token_returns_error_page(client: AsyncClient) -> None:
@ -13,42 +12,29 @@ async def test_register_invalid_token_returns_error_page(client: AsyncClient) ->

 async def test_register_expired_token_returns_error_page(client: AsyncClient) -> None:
    app = client._transport.app  # type: ignore[union-attr]
-    repo = app.state.magic_link_repo
-    await repo.create(
-        MagicLink(
-            token="expired",
-            username="newuser",
-            expires_at=datetime.now(UTC) - timedelta(hours=1),
-        )
-    )
+    # An already-expired link (negative TTL), stored hashed like the real service.
+    expired_service = MagicLinkService(repo=app.state.magic_link_repo, ttl=-3600)
+    link = await expired_service.create(username="newuser")

-    res = await client.get("/register/expired", follow_redirects=False)
+    res = await client.get(f"/register/{link.token}", follow_redirects=False)
    assert res.status_code == 400
    assert "Invalid or expired" in res.text


 async def test_register_valid_token_creates_user_and_redirects(client: AsyncClient) -> None:
    app = client._transport.app  # type: ignore[union-attr]
-    magic_link_repo = app.state.magic_link_repo
+    magic_link_service = app.state.magic_link_service
    user_repo = app.state.user_repo

-    await magic_link_repo.create(
-        MagicLink(
-            token="t1",
-            username="newuser",
-            expires_at=datetime.now(UTC) + timedelta(hours=1),
-        )
-    )
+    link = await magic_link_service.create(username="newuser")

-    res = await client.get("/register/t1", follow_redirects=False)
+    res = await client.get(f"/register/{link.token}", follow_redirects=False)
    assert res.status_code in (302, 303)
    assert "/manage/credentials" in res.headers["location"]
    assert "setup=1" in res.headers["location"]

-    # Token should be marked used
-    link = await magic_link_repo.get_by_token("t1")
-    assert link is not None
-    assert link.used is True
+    # Token should be consumed (no longer valid)
+    assert await magic_link_service.validate(link.token) is None

    # User should exist
    user = await user_repo.get_by_username("newuser")
@ -58,48 +44,34 @@ async def test_register_valid_token_creates_user_and_redirects(client: AsyncClie

 async def test_register_used_token_returns_error(client: AsyncClient) -> None:
    app = client._transport.app  # type: ignore[union-attr]
-    repo = app.state.magic_link_repo
-    await repo.create(
-        MagicLink(
-            token="used",
-            username="newuser",
-            expires_at=datetime.now(UTC) + timedelta(hours=1),
-            used=True,
-        )
-    )
+    magic_link_service = app.state.magic_link_service
+    link = await magic_link_service.create(username="newuser")
+    await magic_link_service.mark_used(link.token)

-    res = await client.get("/register/used", follow_redirects=False)
+    res = await client.get(f"/register/{link.token}", follow_redirects=False)
    assert res.status_code == 400


 async def test_register_existing_user_logs_in_and_redirects(client: AsyncClient) -> None:
-    """When initial-admin creates a user, the invite link should log them in."""
+    """When initial-admin creates a user (no credentials yet), the invite link
+    should let them set up their account."""
    app = client._transport.app  # type: ignore[union-attr]
-    magic_link_repo = app.state.magic_link_repo
+    magic_link_service = app.state.magic_link_service
    user_repo = app.state.user_repo

-    # Pre-create the user (as initial-admin would)
+    # Pre-create the user (as initial-admin would), with no credentials.
    user = User(userid="lusab-bansen", username="admin", groups=["admin", "users"])
    await user_repo.create(user)

-    # Create invite for the same username
-    await magic_link_repo.create(
-        MagicLink(
-            token="admin-setup",
-            username="admin",
-            expires_at=datetime.now(UTC) + timedelta(hours=1),
-        )
-    )
+    link = await magic_link_service.create(username="admin")

-    res = await client.get("/register/admin-setup", follow_redirects=False)
+    res = await client.get(f"/register/{link.token}", follow_redirects=False)
    assert res.status_code in (302, 303)
    assert "/manage/credentials" in res.headers["location"]
    assert "setup=1" in res.headers["location"]

-    # Token should be marked used
-    link = await magic_link_repo.get_by_token("admin-setup")
-    assert link is not None
-    assert link.used is True
+    # Token should be consumed
+    assert await magic_link_service.validate(link.token) is None

    # Original user should still exist with original groups
    existing = await user_repo.get_by_username("admin")
--- a/tests/test_invite/test_service.py
+++ b/tests/test_invite/test_service.py
@ -42,6 +42,18 @@ async def test_create_returns_magic_link(service: MagicLinkService) -> None:
    assert link.expires_at > datetime.now(UTC)


+async def test_token_stored_hashed_not_plaintext(service: MagicLinkService, repo: SQLiteMagicLinkRepository) -> None:
+    # The raw token handed to the user must never be the value persisted in
+    # the store; a DB read must not yield a usable token.
+    link = await service.create(username="alice")
+    raw = link.token
+    assert await repo.get_by_token(raw) is None
+    # ...but the raw token must still validate through the service.
+    validated = await service.validate(raw)
+    assert validated is not None
+    assert validated.username == "alice"
+
+
 async def test_create_generates_unique_tokens(service: MagicLinkService) -> None:
    link1 = await service.create(username="alice")
    link2 = await service.create(username="bob")