Invalidate Sessions on Password Change #20
Conversation
…r session invalidation on password change
There was a problem hiding this comment.
Pull request overview
This PR implements automatic session invalidation when users change their password by embedding a password signature in JWT tokens. When a user changes their password, all existing sessions (except the current one) are invalidated because their tokens contain an outdated password signature.
Changes:
- Added password signature (
pwdSig) to JWT payloads, derived from the first 16 characters of the password hash - Modified
verifyTokento perform async database lookups to validate password signatures against current password hashes - Updated login, signup, and password change endpoints to include password signatures in generated tokens
Reviewed changes
Copilot reviewed 4 out of 4 changed files in this pull request and generated 3 comments.
| File | Description |
|---|---|
| src/lib/auth.ts | Added pwdSig to JWT payload interface, implemented createPasswordSignature function, and converted verifyToken to async with DB validation of password signatures |
| src/app/api/auth/login/route.ts | Updated to include password signature when generating authentication tokens |
| src/app/api/auth/signup/route.ts | Updated to include password signature when generating authentication tokens during user registration |
| src/app/api/users/me/password/route.ts | Modified to generate a new token with updated password signature after password change, maintaining current session while invalidating others |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| export function createPasswordSignature(passwordHash: string): string { | ||
| return passwordHash.substring(0, 16); | ||
| } |
There was a problem hiding this comment.
The password signature uses only the first 16 characters of the bcrypt hash. While bcrypt hashes are designed to be unique, using only 16 characters significantly increases the collision risk. Consider using a cryptographic hash function (like SHA-256) of the full password hash to generate the signature, or at least use more characters (e.g., 32) to reduce collision probability.
| // Check if password hash still matches the signature in the token | ||
| const user = await prisma.user.findUnique({ | ||
| where: { id: payload.userId }, | ||
| select: { passwordHash: true }, | ||
| }); | ||
|
|
||
| if (!user) return null; | ||
|
|
||
| const currentSig = createPasswordSignature(user.passwordHash); | ||
| if (currentSig !== payload.pwdSig) { | ||
| // Password has changed - invalidate token | ||
| return null; | ||
| } |
There was a problem hiding this comment.
The verifyToken function now performs a database query on every authenticated request, which can significantly impact performance. Consider implementing a caching strategy (e.g., short-lived cache with the user's password hash signature) to reduce database load while maintaining security.
Leon-JavaScript
added
Priority: High
This PR improves authentication security by embedding a password signature in JWT tokens. The signature, derived from the user's password hash, enables automatic invalidation of all active sessions when a user changes their password. Key updates include:
These enhancements ensure robust session management and protect user accounts from unauthorized access after password updates.