Skip to content
GitLab
    • GitLab: the DevOps platform
    • Explore GitLab
    • Install GitLab
    • How GitLab compares
    • Get started
    • GitLab docs
    • GitLab Learn
  • Pricing
  • Talk to an expert
  • /
  • Help
    • Help
    • Support
    • Community forum
    • Submit feedback
    • Contribute to GitLab
    • Switch to GitLab Next
    Projects Groups Snippets
  • Sign up now
  • Login
  • Sign in / Register
  • GitLab GitLab
  • Project information
    • Project information
    • Activity
    • Labels
    • Members
  • Repository
    • Repository
    • Files
    • Commits
    • Branches
    • Tags
    • Contributors
    • Graph
    • Compare
    • Locked Files
  • Issues 46,782
    • Issues 46,782
    • List
    • Boards
    • Service Desk
    • Milestones
    • Iterations
    • Requirements
  • Merge requests 1,535
    • Merge requests 1,535
  • CI/CD
    • CI/CD
    • Pipelines
    • Jobs
    • Artifacts
    • Schedules
    • Test Cases
  • Deployments
    • Deployments
    • Environments
    • Releases
  • Packages and registries
    • Packages and registries
    • Package Registry
    • Container Registry
    • Infrastructure Registry
  • Monitor
    • Monitor
    • Metrics
    • Incidents
  • Analytics
    • Analytics
    • Value stream
    • CI/CD
    • Code review
    • Insights
    • Issue
    • Repository
  • Snippets
    • Snippets
  • Activity
  • Graph
  • Create a new issue
  • Jobs
  • Commits
  • Issue Boards
Collapse sidebar
  • GitLab.orgGitLab.org
  • GitLabGitLab
  • Issues
  • #3787
Closed
Open
Issue created Oct 17, 2017 by Nick Thomas@nick.thomas🆓Contributor

Geo JWTs (JSON web tokens) do not expire

Summary

The Geo API (and HTTP cloning mechanism once https://gitlab.com/gitlab-org/gitlab-ee/merge_requests/3116 is finished) uses JWT authorization. The Geo secondary has a key, which it uses to generate tokens which are intended to be short-lived. Expiring them aggressively means that the risk associated with exposing such a token is limited. Geo expects these tokens to live for a minute or so.

Steps to reproduce

Capture a JWT using tcpdump, or generate one, e.g., with:

::Gitlab::Geo::BaseRequest.new.headers['Authorization']

Wait for 120 seconds

Use the token for authentication, or attempt to decode it:

::Gitlab::Geo::JwtRequestDecoder.new('token here').decode

What is the current bug behavior?

Tokens are valid for as long as the secret key does not change

What is the expected correct behavior?

Token should expire after 60 seconds

Possible fixes

We ask the JWT gem: http://www.rubydoc.info/gems/jwt to verify_iat when decoding the token. It seems we want that to cause the token to be invalidated, but that's not what iat is for: https://tools.ietf.org/html/rfc7519#section-4.1.6

What we actually want to use is the exp claim: https://tools.ietf.org/html/rfc7519#section-4.1.4 . Perhaps also the nbf claim: https://tools.ietf.org/html/rfc7519#section-4.1.5 , to ensure the token cannot be used before its issuance.

/cc @stanhu @brodock @toon @jarv @dbalexandre

I believe we use JWTs elsewhere in the codebase as well. We should audit these places to ensure that we're not making the same mistake.

Assignee
Assign to
Time tracking