Context
Surfaced during a security survey.
Ephemeral pre-auth tokens (5 min TTL, src/lib/token.ts) are used to continue OTP/magic-link/registration flows. They are validated by signature + expiry but are not single-use, so a leaked ephemeral token can be replayed multiple times within its window (e.g. to trigger repeated OTP generation).
Impact is bounded (short TTL, rate limiters on the continuation endpoints), which is why this is a hardening item rather than a critical bug.
Suggested work
- Add optional single-use binding / server-side revocation for ephemeral tokens (e.g. a jti tracked in a short-lived store, consumed on first successful continuation).
- Weigh the added state against the current stateless design; document the decision either way.
Acceptance
- Either a single-use mechanism with tests, or a documented decision to accept replay-within-TTL with the mitigating controls named.
Context
Surfaced during a security survey.
Ephemeral pre-auth tokens (5 min TTL,
src/lib/token.ts) are used to continue OTP/magic-link/registration flows. They are validated by signature + expiry but are not single-use, so a leaked ephemeral token can be replayed multiple times within its window (e.g. to trigger repeated OTP generation).Impact is bounded (short TTL, rate limiters on the continuation endpoints), which is why this is a hardening item rather than a critical bug.
Suggested work
Acceptance