Unsupervised/unsupervised-scheduler
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Store invite tokens hashed at rest #41

New Issue
Closed
opened 2026-06-10 18:50:52 +00:00 by thatguygriff · 0 comments
thatguygriff commented 2026-06-10 18:50:52 +00:00
Owner
Copy Link
Copy Source

Finding (security review — Low)

InviteRepository (src/Auth/InviteRepository.php) stores and looks up raw invite tokens. The token is generated well (wp_generate_password(32, false) is CSPRNG-backed) and pending invites expire after 14 days, but anyone with read access to the database (backup leak, SQL injection in an unrelated plugin) can redeem pending invites and mint student accounts.

Fix

  • Store hash('sha256', $token) instead of the raw token; hash the incoming token before lookup in the registration flow.
  • The admin Invites page (templates/admin/invites.php) currently reconstructs registration links from the stored token, which no longer works once only the hash is stored. Show the full link once, in a notice right after the invite is created; the pending list keeps email/expiry/revoke. To re-send a lost link: revoke and re-invite.
  • Existing plaintext pending invites will stop matching (pre-1.0 plugin, acceptable); they can be revoked and re-issued.
## Finding (security review — Low) `InviteRepository` (src/Auth/InviteRepository.php) stores and looks up raw invite tokens. The token is generated well (`wp_generate_password(32, false)` is CSPRNG-backed) and pending invites expire after 14 days, but anyone with read access to the database (backup leak, SQL injection in an unrelated plugin) can redeem pending invites and mint student accounts. ## Fix - Store `hash('sha256', $token)` instead of the raw token; hash the incoming token before lookup in the registration flow. - The admin Invites page (templates/admin/invites.php) currently reconstructs registration links from the stored token, which no longer works once only the hash is stored. Show the full link **once**, in a notice right after the invite is created; the pending list keeps email/expiry/revoke. To re-send a lost link: revoke and re-invite. - Existing plaintext pending invites will stop matching (pre-1.0 plugin, acceptable); they can be revoked and re-issued.
thatguygriff added the security label 2026-06-10 18:50:52 +00:00
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
bug
Something isn't working
 enhancement
Extends an existing feature
 feature
New user-facing capability
 payments
Billing, Stripe, receipts, reporting
 security
Security vulnerability or hardening
No Label security
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
thatguygriff (James Griffin-Allwood)
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: Unsupervised/unsupervised-scheduler#41
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?