Skip to content

Harden ephemeral (pre-auth) token against replay within its TTL #59

Description

@Bccorb

Context

Surfaced during a security survey.

Ephemeral pre-auth tokens (5 min TTL, src/lib/token.ts) are used to continue OTP/magic-link/registration flows. They are validated by signature + expiry but are not single-use, so a leaked ephemeral token can be replayed multiple times within its window (e.g. to trigger repeated OTP generation).

Impact is bounded (short TTL, rate limiters on the continuation endpoints), which is why this is a hardening item rather than a critical bug.

Suggested work

  • Add optional single-use binding / server-side revocation for ephemeral tokens (e.g. a jti tracked in a short-lived store, consumed on first successful continuation).
  • Weigh the added state against the current stateless design; document the decision either way.

Acceptance

  • Either a single-use mechanism with tests, or a documented decision to accept replay-within-TTL with the mitigating controls named.

Metadata

Metadata

Assignees

No one assigned

    Labels

    enhancementNew feature or requestsecuritySecurity-sensitive: auth, tokens, OTP, sessions, crypto

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions