Ensure device has not been logged out

[patrickomeara]

This adds a middleware to check that the password hash in session is the same as the current users password, and logs the user out if not.

This fixes a security issue where an attacker can keep sending requests to an API using the sanctum auth after the password has been updated.

Scenario:
If a user is logged in in two different browsers, they change their password in one, the web session is invalidated in the other, but requests can still be sent via the sanctum cookie auth to the API.

refs #142

[taylorotwell]

Can you not just use the already existing AuthenticateSession middleware?

https://laravel.com/docs/10.x/authentication#invalidating-sessions-on-other-devices

[patrickomeara]

Hi @taylorotwell

From what I can see, adding auth.session after auth:sanctum uses the RequestGuard which doesn't have a viaRemember method.

Method Illuminate\Auth\RequestGuard::viaRemember does not exist.

There is also a fatal call to logoutCurrentDevice

Method Illuminate\Auth\RequestGuard::logoutCurrentDevice does not exist.

EnsureDeviceHasNotBeenLoggedOut is a stripped down version of AuthenticateSession that handles only the passsword hash check and logging out if it doesn't match. It rightfully doesn't handle the remember me nor the storing of the password hash.

As it's quite difficult to test for this I have set up a test repo that has both the auth.session middleware branch and the new middleware branch. There are setup instructions in the README there.

Related issues
laravel/framework#40988
https://stackoverflow.com/questions/65623617/logoutotherdevices-isnt-working-with-laravel-sanctum/70469518#70469518
#142

[taylorotwell]

@patrickomeara using this middleware - how does the password hash get stored in the session in the first place? Is it stored by AuthenticateSession during the original "web" request?

Furthermore, what are the breaking change implications if we tag this on a patch release and people are not already using AuthenticateSession?

[patrickomeara]

Yes the original web request stores the password hash in the session. This is the existing mechanism that logs out other sessions on password change.

This newly added Sanctum-only middleware will log out the sanctum sessions as well.

I've added a check so if the original request isn't using AuthenticateSession the middleware continues. This change will make a patch release backward compatible.

[patrickomeara]

I've updated the test repo to use this branch of sanctum.

[patrickomeara]

I'm converting this to draft as I've found a condition where the guard changes from web to sanctum when changing the password via a sanctum request and logs the current session out.

[patrickomeara]

Closing, as laravel/framework#48056 is a better approach to this problem.