Bug: Valid Refresh Tokens despite user changing password

[epicadk]

Describe the bug

Refresh Tokens are still valid even after the user changes passwords.
To Reproduce

Steps to reproduce the behavior:

1. Login and save the refresh token you get.
2. Change password
3. Scroll down to Refresh endpoint and use the old Refresh token.
4. See error

Expected behavior

Refresh Tokens should not be valid after a user changes passwords.

Additional context

This can be done by using the users hashed password as the secret for the refresh tokens.

[devkapilbansal]

I don't know whether it is the case. Will verify today. Thanks @epicadk for opening this

[isabelcosta]

@devkapilbansal if you can verify this, it would be amazing.

@epicadk can you please add more information to the ticket, for example how to reproduce this bug you found, so that whoever works on it, can have an example to follow. Also if you have any idea of a potential solution, even if its not the one being implemented, please put it in the alternatives :)

[epicadk]

@devkapilbansal if you can verify this, it would be amazing.

@epicadk can you please add more information to the ticket, for example how to reproduce this bug you found, so that whoever works on it, can have an example to follow. Also if you have any idea of a potential solution, even if its not the one being implemented, please put it in the alternatives :)

@isabelcosta done . @devkapilbansal I have added steps to reproduce the issues please let me know if I should elaborate any further.

[devkapilbansal]

Valid Issue ✔️

Thanks @epicadk to point out this security bug

Tested locally and able to get new access token using old refresh token that should not happen

TLDR

• Changing Password Screenshot
  

• Successful Refresh
  

Access token generated is also valid and can be used after refresh.

[devkapilbansal]

Also, I noticed that in the refresh endpoint it should mention refresh token instead of access token here

Therefore, opening an issue for this too

[devkapilbansal]

@isabelcosta @vj-codes @rpattath please label this issue

[isabelcosta]

thank you for such a thorough test and showing the output here 🙌 @devkapilbansal

[isabelcosta]

@devkapilbansal can you link up the issue here, in case you already created it?