For the Five for the Future project, I ended up writing some custom code for authentication tokens which are stateful, have (cryptographically secure) random values, and can only be used once.
Those tokens will be used by companies to manage their pledges, so if an attacker was able to obtain a token, they’d be able to change a company’s name, logo, description, etc to something inappropriate, remove contributors from the pledge, and deactivate the pledge entirely.
The reasons why authentication tokens were chosen is documented in the commit, and additional background is available in issue #34 and PR #46.
Does anyone have any thoughts on the code, think there are any missing test cases, or see any other problems? If you think there’s an active vulnerability, please ping me privately or report it via HackerOne.
Props @timothyblynjacobs for pointing out that
===
was used instead ofhash_equals()
. Fixed in 35fa9932.