Austin Elixir

Routing Securely with Phoenix Framework

2015-09-02

Luke Imhoff

	luke_imhoff@rapid7.com	Kronic.Deth@gmail.com
	@limhoff-r7	@KronicDeth
		@KronicDeth

This Presentation

Live Stream/Recording

https://youtu.be/lrlHYHKVWiI

Slides

Viewable: https://kronicdeth.github.io/routing-securely-with-phoenix-framework
Source: https://github.com/KronicDeth/routing-securely-with-phoenix-framework/tree/gh-pages

Project Source

https://github.com/KronicDeth/routing-securely-with-phoenix-framework/tree/master

Outline

Installation
New Project
Configuration
TLS
Authentication
CSRF
Channels
XSS
Compromise Recovery

Installation

Node
mix archives

Node

Source	Linux	Mac	Windows
nodejs.org	`tar.gz`	`pkg`	`msi`
homebrew		`brew install node`
apt-get	`sudo apt-get install nodejs-legacy`

Installing Mix Archives


mix local.hex
mix archive.install https://github.com/phoenixframework/phoenix/releases/download/v0.17.0/phoenix_new-0.17.0.ez

New Project

mix phoenix.new Options
mix phoenix.new
Fetch and Install Dependencies
- New
- Clone
Run

`mix phoenix.new` Options

Option	Description	Format	Example
`--app APP`	The name of the OTP application	Atom	`routing_securely_with_phoenix_framework`
`--database DATABASE`	Specify the database adapter for ecto	`mssql` `mysql` `postgres` (default) `sqlite`
`--module MODULE`	The name of the base module in the generated skeleton	Alias	`RoutingSecurelyWithPhoenixFramework`
`--no-ecto`	Do not generate Ecto files for the model layer
`--no-brunch`	Do not generate brunch files for static asset building

Normally, you don't need to specify any of these options and they are just derived from the directory name, but if you want to use a different naming scheme or nested namespaces, you'll need to manually override APP and MODULE.

By default, phoenix dot new (phoenix.new) will use Ecto with Postgres, but if you prefer a different database you can override that with dash dash database (--database). If you don't need a database at all, you can disable Ecto with dash dash no dash ecto (--no-ecto).

Even if you need a database, you could still create the project without ecto if you want to use a built-in Erlang database like Mnesia or DETS. Or a NOSQL alternative like Riak that Ecto doesn't support.

You could dash dash no dash brunch (--no-brunch) if you want to use something other than brunch, such as webpack, to compile your assets, or if you don't have HTML or assets because you're just building a JSON API or channel server.

`mix phoenix.new`

Fetch and Install Dependencies

mix phoenix dot new (mix phoenix.new) is interactive and after creating the files we saw on the last slide, the mix task will ask if you want to install dependencies.

Saying 'yes', will install the javascript dependencies with N-P-M install (npm install) and the Elixir dependencies with mix deps dot get (mix deps.get)

Please take note that the prompt only happens when creating a new project. If you clone a pre-existing project...

Fetching and Install Dependencies for Clone

Error	Solution
	`mix deps.get`
	`npm install`

...you need to run mix deps dot get (mix deps.get) and N-P-M install (npm install) manually.

If you forget to run either of these steps and start mix phoenix dot server (mix phoenix.server), the log will helpfully contain errors telling you the command to run.

In Phoenix, and Elixir in general, if an error message isn't helpful it is considered a bug and you should open an issue with the project on Github.

Run your application

cd routing_securely_with_phoenix; mix ecto.create; mix phoenix.server

Configuration

Default Configuration
Remove Shared secret_key_base
Secret configuration for each environment
Generating new secret_key_base
Generating database passwords
config/dev.secret.exs
config/test.secret.exs
Create PostgreSQL users
Create Database

Default Configuration

Environment	Module	key	File	Source Controlled?
All	`Endpoint`	`secret_key_base`	`config/config.exs`	Yes
`dev`	`Repo`	`password`	`config/dev.exs`	Yes
`prod`	`Endpoint`	`secret_key_base`	`config/prod.secret.exs`	No
`prod`	`Repo`	`password`	`config/prod.secret.exs`	No
`test`	`Repo`	`password`	`config/test.exs`	Yes

Phoenix projects have two secrets: the secret key base and the database password.

The secret key base is used by Plug for the session encryption and signing and by Phoenix for channel tokens. If the secret key base is disclosed, it's possible to either read session cookies or fake cookies by signing session cookies containing your own data.

The database password is of course used to log into database. If the database password is disclosed all your data is accessible.

By default, the prod secrets are kept is a separate prod dot secret dot E-X-S (prod.secret.exs) that is git ignored. Not keeping production secrets in source control is a best practice.

But, by default, Phoenix does keep your development and test secrets in source control. I see two problems with this: first, it means that your entire team uses the same secrets and second, if your repository is public I can see your secrets on github.

You may think these aren't issues because they're not meant for production, but if you end up replicating part of your production data to development to fix a bug and some one gets access to your network, you can end up divulging production data to the attacker.

Additionally, if you have reused and/or weak password, an attacker can use your dev or test passwords to more easily guess your production passwords.

Remove shared `secret_key_base`

Remove secret_key_base from config/config.exs

Secret configuration for each environment

Remove improt_config "prod.secret.exs" in config/prod.exs — Remove secret configuration import from `config/prod.exs`

import_config "#{Mix.env}.secret.exs" in config/config.exs — Import secret configuration for each environment in `config/config.exs`

git ignore config/*.secret.exs instead of config/prod.secret.exs — Ignore all secret configurations in git

Generating new `secret_key_base`


iex(1)> length = 64
64
iex(2)> :crypto.strong_rand_bytes(length) |> Base.encode64 |> binary_part(0, length)

Generating database password

Use a password manager
Make the password long (> 16 characters)
Replace password every 90 days

Using KeePass to generate a 64 character password with lowe letter, upper letters, numbers, and special characters that expires in 3 months

The advice for a strong password applies even more so for prod than it does for dev or test.

In addition to replacing your passwords every 90 days you should do the same for your secret key bases. This will invalidate any active sessions that the user has, but this is a good thing because your users should also be replacing their passwords every 90 days.

Here, I'm using KeePassX to generate a strong password and store it, so I have it on file if I accidentally delete my secret configuration files.

Dev Secrets

Remove config APP_NAME, MODULE_NAME.Repo from config/dev.exs — Remove `Repo` configuration from `config/dev.exs`

Create config/dev.secret.exs


use Mix.Config

# In this file, we keep development configuration that
# you likely want to automate and keep it away from
# your version control system.
config :routing_securely_with_phoenix_framework, RoutingSecurelyWithPhoenixFramework.Endpoint,
  secret_key_base: "SECRET_KEY_BASE"

# Configure your database
config :routing_securely_with_phoenix_framework, RoutingSecurelyWithPhoenixFramework.Repo,
  adapter: Ecto.Adapters.Postgres,
  database: "routing_securely_with_phoenix_framework_dev",
  host: "127.0.0.1",
  password: "PASSWORD",
  size: 20, # The amount of database connections in the pool
  username: "routing_securely_with_phoenix_framework_dev"

The config slash dev dot secret dot exs (config/dev.secret.exs) will have the secret key base for the endpoint and the entire repo configuration.

You could put the common keys for the repo configuration in config slash config dot E-X-S (config/config/exs), but this way the reader doesn't need to know which keys are defaults.

Notice that I'm using a separate username, that matches the database name. This way the user can have the minimum permissions to only interact with its own database.

Test Secrets

Remove config APP_NAME, MODULE_NAME.Repo from config/test.exs — Remove `Repo` configuration from `config/test.exs`

Create config/test.secret.exs


use Mix.Config

# In this file, we keep development configuration that
# you likely want to automate and keep it away from
# your version control system.
config :routing_securely_with_phoenix_framework, RoutingSecurelyWithPhoenixFramework.Endpoint,
  secret_key_base: "SECRET_KEY_BASE"

# Configure your database
config :routing_securely_with_phoenix_framework, RoutingSecurelyWithPhoenixFramework.Repo,
  adapter: Ecto.Adapters.Postgres,
  database: "routing_securely_with_phoenix_framework_test",
  password: "PASSWORD",
  pool: Ecto.Adapters.SQL.Sandbox,
  username: "routing_securely_with_phoenix_framework_test"

Create PostgreSQL Users

	Termianl	pgAdmin
1	`createuser --createdb --encrypted --no-createrole --no-superuser --pwprompt USERNAME`	Start pgAdmin3
2	Enter password	Connect to server
3	Enter password (again)	Right-click Login Roles
4		Click New Login Role
5		Enter `username as Role Name`
6		Change to Definition Tab
7		Enter password
8		Enter password (again)
9		Change to Role Privileges Tab
10		Click "Can create database"
11		Click OK

Create the database

Top lines of mix ecto.create in new project compile fs application — `mix ecto.create` for new project

mix ecto.create in a pre-built project does not compile and only creates the database — `mix ecto.create` in built project

Now with the secrets outside of source control, we can create the database using the command that mix phoenix dot new (mix phoenix.new) gave us.

You may wonder what's going on when you run the command: you'll see all this output about files being compiled and wonder why you're compiling to create a database. Mix compiles the dependencies before creating the database because Ecto is a dependency of your project and so needs to be built for it to connect to PostgreSQL and create the database.

If you run mix ecto dot create (mix ecto.create) in a project where the dependencies are already compiled, then you'll just get the bottom message. Seeing the compilation message for ecto dot create (ecto.create) is a side-effect of it being the first mix command you ran.

TLS

Overview
Certificate Authority Key
Self-Signing Certificate Authority
Self-Signing Certificate Authority Distinguished Name
Viewing your self-signed certificate
Server Key
Server Certificate Signing Request
Server Certificate Signing Request Distinguished Name
Signed Server Certificate
Signing Server Certificate Request
Trust Self-Signed Certificate Authority
Fully-qualified Domain Setup
Testing TLS Connection
TLS Configuration
TLS dev Configuration
TLS prod Configuration
TLS test Configuration

Overview

Transport Layer Security
Successor to SSL (Secure Socket Layer) 3.0
TLS 1.0 was defined in 1999

H-T-T-P-S should no longer use S-S-L. When speaking about the encryption for H-T-T-P-S, you should say T-L-S now.

Phoenix, through Plug has built-in support for T-L-S without the need for a reverse proxy like engine-X (nginx).

We want to use TLS because we will be authenticating users, so if we don't use TLS, the user's passwords and cookies will be sent plain-text on the network, allowing attackers to steal them and impersonate the user.

Certificate Authority Key

`openssl genrsa -des3 -out certificate-authority.key 4096`
Option	Argument	Description
	`genrsa`	Generate RSA key
`-des3`		Password protect the private key
`-out`	`certificate-authority.key`	Private Key file
	4096	Number of bits in RSA key

Self-Signing Certificate Authority

`openssl req -new -x509 -days 365 -key certificate-authority.key -out certificate-authority.crt -sha256`
Option	Argument	Description
	`req`	X.509 Certificate Signing Request (CSR) Management
`-new`		New Certificate Request
`-x509`		Self-signed certificate
`-days`	`365`	Number of days certificate is valid
`-key`	`certificate-authority.key`	Input file name for private key used for signing
`-out`	`certificate-authority.crt`	Output file for self-signed certificate
`-sha256`		Sign using SHA256 instead of SHA1

Self-Signing Certificate Authority Distinguished Name

Entering C,ST,L,O,CN, and emailAddress for distinguished name

Viewing your self-signed certificate

`openssl x509 -in certificate-authority.crt -noout -text`

Data stored in certificate-authority.pem

Server Key

openssl genrsa -out server-${MIX_ENV}.key 4096

Server Certificate Signing Request

openssl req -new -key server-${MIX_ENV}.key -out server-${MIX_ENV}.csr

Server Certificate Signing Request Distinguished Name

Entering C,ST,L,O,CN, and emailAddress for distinguished name. CN must match DNS name (dev.phoenix.localhost) of MIX_ENV server

Signing Server Certificate Request

`openssl x509 ‑CA certificate‑authority.crt ‑CAcreateserial ‑CAkey certificate‑authority.key ‑days 90 ‑in server‑${MIX_ENV}.csr ‑out server‑${MIX_ENV}.crt ‑req ‑sha256`
Option	Argument	Description
	`x509`	Certificate display and signing utility
`‑CA`	`certificate‑authority.crt`	The Certificate Authority certificate
`‑CAcreateserial`		Create file for keeping track of CA issued certificate serial numbers if it does not exist and assign this certificate the next serial number.
`‑CAkey`	`certificate‑authority.key`	Certificate Authority private Key for signing request
`‑days`	`90`	Days the server certificate is valid
`‑in`	`server‑${MIX_ENV}.csr`	Request to be signed
`‑out`	`server‑${MIX_ENV}.crt`	Signed certificate output file
`‑req`		Sign a certificate request
`‑sha256`		Sign with SHA256 instead of SHA1

Trust Self-Signed Certificate Authority

OSX

Open Keychain Access
Click Plus
Select certificate-authority.crt
Highlight the certificate
Click i
Expand Trust
Change "When using this certificate" to Always Trust
Close i Dialog
Enter password to save changes

Fully Qualified Domain Setup

Open /etc/hosts

Add the following lines


127.0.0.1 dev.routing-securely-with-phoenix-framework.localhost
127.0.0.1 prod.routing-securely-with-phoenix-framework.localhost
127.0.0.1 test.routing-securely-with-phoenix-framework.localhost

Restart Browsers

TLS Configuration

We need to disable the default HTTP Strict Transport Security because it doesn't work with HTTPS ports other than 443 that are different than the HTTP port.

The https setting needs to know where to find the private key and certificate for the server. Using the OTP app setting allows the paths to be relative.

The host in the url setting needs to match the Common Name used in the respective mix environments, so I just use Mix.env in the host name itself.

TLS `dev` Configuration

TLS `prod` Configuration

TLS `test` Configuration

Testing TLS connection

Start Phoenix:
```
mix phoenix.server
```
Open HTTP URL printed by Cowboy
Verify redirected to HTTPS URL printed by Cowboy
Verify connection is private

Authentication

Providers
User model
User Migration
User Schema
User Changeset
User password hashing
User Registration Routers
User Registration Controller
User Registration Controller new
User View
User new Template
User Registration Controller create
Page Routes
Page Controller Authentication
Authenticate Plug
Session Routes
Session Controller
Session Controller new
Session View
Session new Template
Session Controller create
Session Status
Session Controller delete

Authentication Providers

Don't store passwords if you don't have

Allow uses to login with OAuth:
- Facebook
- Github
- Google
- Twitter
Allow uses to login with SAML:
- Okta
Store their password

If you are making an application on the internet, please consider NOT having your users create a new account and password for your site. Then you site just becomes another site that can have a password breach.

Instead, let password security be someone else's problem: use OAuth to allow sign-in from social networks or use SAML with Okta and allow users to login with their private company ActiveDirectory credentials.

If none of these options work for you or you want a fallback in case your users don't have accounts at the other providers, then you can implement passwords in your application.

This code for this section is based on Michael Eatherly's "Phoenix app with authentication" from May 11th 2015. It has been updated for changes in newer versions of Phoenix and some stylistic changes.

`User` model

`mix phoenix.gen.model User users name password_hash`
Argument	Description
`User`	Module name
`users`	Table name
`name`	Column name
`password_hash`	Column name

User Migration


defmodule RoutingSecurelyWithPhoenixFramework.Repo.Migrations.CreateUser do
  use Ecto.Migration

  def change do
    create table(:users) do
      add :name, :string, null: false
      add :password_hash, :string, null: false

      timestamps
    end

    create unique_index(:users, [:name])
  end
end

We create a bare minimum user with a unique name and hashed-password.

Note that I called the field password_hash because it's a hashed password it's not encrypted. A lot of example code confuses encrypted passwords, which can be unencrypted and recovered with hashed passwords, which can't be recovered. Hash is one-way. Hash password are only cracked by finding the input string that happens to make the same hash as the hash on file.

If you ever have to choice between encrypting or hashing passwords, choose hashing passwords and just have users reset their passwords instead of having unencryptable passwords that you can send back to the user when their forget their password.

If you can unencrypt a password that means that can attacker that gets access to your unencryption key can also read all your users' passwords.

User Schema


defmodule RoutingSecurelyWithPhoenixFramework.User do
  use RoutingSecurelyWithPhoenixFramework.Web, :model

  schema "users" do
    field :name, :string
    field :password, :string, virtual: true
    field :password_confirmation, :string, virtual: true
    field :password_hash, :string

    timestamps
  end
end

schema is a macro for Ecto models that define the type of each field in the Ecto model.

The fields aren't automatically inferred from the database because (1) Elixir in general believes in more explicitness and (2) an Ecto model is more separate from the database: it allows for form-only virtual fields, such as password and password_confirmation as seen here.

In theory, you can have two Ecto models that point to the same database table and only they can have different real and virtual fields exposed from the database columns.

User Changeset


defmodule RoutingSecurelyWithPhoenixFramework.User do
  @minimum_password_length 16
  @optional_fields ~w()
  @required_fields ~w(name password password_confirmation)

  @doc """
  Creates a changeset based on the `model` and `params`.

  If no params are provided, an invalid changeset is returned
  with no validation performed.
  """
  def changeset(model, params \\ :empty) do
    model
    |> cast(params, @required_fields, @optional_fields)
    |> validate_length(:password, min: @minimum_password_length)
    |> validate_length(:password_confirmation, min: @minimum_password_length)
    |> validate_confirmation(:password)
    |> unique_constraint(:name)
  end
end

Ecto separates the model, which is a simple Struct from data about whether the params the user passed are valid and what changes need to be persisted to the database in an Ecto dot Changeset (Ecto.Changeset).

cast does 3 things: (1) it errors out if a required field is missing in params; (2) it only allows required and optional fields to be copied into the changeset; (3) it converts the allowed params to the type given in the schema.

Validations are applied to the changeset and errors are recorded in the returned changeset, so they are just functions, not a DSL.

Instead of validating for uniqueness with a SELECT in the database, unique_constraint annotates the changeset, so if there is unique index error from the database, it is transformed back to a validation error. This is more efficient than validating the uniqueness with SELECT when the call happens because it eliminates a trip to the database and isn't prone to the race conditions of the SELECT either.

User password hashing


defmodule RoutingSecurelyWithPhoenixFramework.User do
  @doc """
  Generates a password for the user changeset and stores it to the changeset as password_hash.
  """
  def generate_password(changeset) do
    put_change(changeset, :password_hash, Comeonin.Bcrypt.hashpwsalt(changeset.params["password"]))
  end
end

As a general rule one should never write their own encryption, so I'm taking that advise and using the comeonin package to use Bcrypt, which is a known hashing algorithm, to salt each password and hash it for me.

Salting adds a randomly generate string to the user's password before hashing, which does 2 things: (1) if two users have the same password, it's stops them from having the same password hash and (2) it makes the passwords harder to crack in bulk because an attacker needs to start over for each salt.

User Registration Routes


defmodule RoutingSecurelyWithPhoenixFramework.Router do
  use RoutingSecurelyWithPhoenixFramework.Web, :router

  scope "/", RoutingSecurelyWithPhoenixFramework do
    pipe_through :browser # Use the default browser stack

    get "/registration", RegistrationController, :new
    post "/registration", RegistrationController, :create
  end
end

User Registration Controller


defmodule RoutingSecurelyWithPhoenixFramework.RegistrationController do
  use RoutingSecurelyWithPhoenixFramework.Web, :controller

  alias RoutingSecurelyWithPhoenixFramework.User

  plug :scrub_params, "user" when action in [:create]
end

User Registration Controller `new`


defmodule RoutingSecurelyWithPhoenixFramework.RegistrationController do
  def new(conn, _params) do
    changeset = User.changeset(%User{})
    render conn, changeset: changeset
  end
end

User View


defmodule RoutingSecurelyWithPhoenixFramework.RegistrationView do
  use RoutingSecurelyWithPhoenixFramework.Web, :view
end

User `new` Template


<h3>Registration</h3>
<%= form_for @changeset, registration_path(@conn, :create), fn f -> %>
<%= if f.errors != [] do %>
<div class="alert alert-danger">
    <p>Oops, something went wrong! Please check the errors below:</p>
    <ul>
        <%= for {attr, message} <- f.errors do %>
        <li><%= humanize(attr) %> <%= message %></li>
        <% end %>
    </ul>
</div>
<% end %>

<div class="form-group">
    <label>Name</label>
    <%= text_input f, :name, class: "form-control" %>
</div>

<div class="form-group">
    <label>Password</label>
    <%= password_input f, :password, class: "form-control" %>
</div>

<div class="form-group">
    <label>Password Confirmation</label>
    <%= password_input f, :password_confirmation, class: "form-control" %>
</div>

<div class="form-group">
    <%= submit "Register", class: "btn btn-primary" %>
    <%= link("Login", to: session_path(@conn, :new), class: "btn btn-success pull-right") %>
</div>
<% end %>

We use the form_for function with the passed in changeset. Passed in variables are called assigns and accessible using the @ macro. They are not the same as module attributes, but can be though of as similar because they should be treated as constant for the template.

Pay special attention that the percent equals form of the E-E-X tags MUST be used for anything that outputs HTML code. This includes non-obvious macros like if and for.

All the CSS class come from bootstrap, which Phoenix uses by default.

User Registration Controller `create`


defmodule RoutingSecurelyWithPhoenixFramework.RegistrationController do
  def create(conn, %{"user" => user_params}) do
    changeset = User.changeset(%User{}, user_params)

    if changeset.valid? do
      case changeset |> User.generate_password |> Repo.insert do
        {:ok, user} ->
          conn
          |> put_flash(:info, "Successfully registered and logged in")
          |> put_session(:current_user_id, user_id)
          |> redirect(to: page_path(conn, :index))
        {:error, changeset} ->
          render conn, "new.html", changeset: changeset
      end
    else
      render conn, "new.html", changeset: changeset
    end
  end
end

When the new form is submitted it goes to the create action in the RegistrationController

If the changeset is valid, because the name is present and the password and password_confirmation match and are long enough, then use them to generate the password_hash and insert the user into the repo.

But, the insert can fail if the unique constraint is violated, so we check for errors from the insert in the case macro.

If there's a validation or a constraint error, then we render the new form with the errors.

The current user ID is stored in the session instead of the current user, so that a stale user format can't be retrieved from the session. It also keeps the session cookie size down since it's only storing an integer instead of a Struct.

Page Routes


defmodule RoutingSecurelyWithPhoenixFramework.Router do
  scope "/", RoutingSecurelyWithPhoenixFramework do
    get "/pages", PageController, :index
  end
end

Page Controller Authentication


defmodule RoutingSecurelyWithPhoenixFramework.PageController do
  plug RoutingSecurelyWithPhoenixFramework.Plug.Authenticate
end

Authenticate Plug


defmodule RoutingSecurelyWithPhoenixFramework.Plug.Authenticate do
  import RoutingSecurelyWithPhoenixFramework.Router.Helpers

  alias RoutingSecurelyWithPhoenixFramework.Repo
  alias RoutingSecurelyWithPhoenixFramework.User

  def init(opts) do
    opts
  end

  def call(conn, _opts) do
    assign_current_user(conn)
  end

  defp assign_current_user(conn = %Plug.Conn{}) do
    assign_current_user(conn, Plug.Conn.get_session(conn, :current_user_id))
  end
  defp assign_current_user(conn, id) when is_integer(id) do
    assign_current_user(conn, Repo.get(User, id))
  end
  defp assign_current_user(conn, user = %User{}) do
    Plug.Conn.assign(conn, :current_user, user)
  end
  defp assign_current_user(conn, _), do: redirect_to_sign_in(conn)

  defp redirect_to_sign_in(conn) do
    conn
    |> Phoenix.Controller.put_flash(
         :error,
         'You need to be signed in to view this page'
       )
    |> Phoenix.Controller.redirect(to: session_path(conn, :new))
    |> Plug.Conn.halt
  end
end

Plugs can either be functions or Modules. Modules have the benefit of allowing options to be passed to the plug macro call. Here we're not using the opts, so they just pass through unused in init/2 to maintain the signature and are prefixed with underscore (_opts) to let the compiler know we expect to not use the variable in call.

The bulk of the plug is the assign current user function, where is clause does a single transformation convert a connection to a user id to a user The final clause handles both if the current user id is nil or if the user is nil.

The Plug dot conn dot halt (Plug.Conn.halt) is important as it stops the pipeline of plugs, including the action from running. Without it, you'll get a a plug dot conn dot already sent error (Plug.Conn.AlreadySentError). Being able to mark a conn as halted is what elevates plug pipelines above the level of pipe arrow (|>) pipelines in standard Elixir: you can stop a pipeline when there is an error and not have to do :ok and :error cases for every later function in the pipeline.

Session Routes


defmodule RoutingSecurelyWithPhoenixFramework.Router do
  scope "/", RoutingSecurelyWithPhoenixFramework do
    get "/", SessionController, :new
    post "/login", SessionController, :create
    get "/logout", SessionController, :delete
  end
end

Session Controller


defmodule RoutingSecurelyWithPhoenixFramework.SessionController do
  use RoutingSecurelyWithPhoenixFramework.Web, :controller

  alias RoutingSecurelyWithPhoenixFramework.User

  plug :scrub_params, "user" when action in [:create]
end

Session Controller `new`


defmodule RoutingSecurelyWithPhoenixFramework.SessionController do
  def new(conn, _params) do
    render conn, changeset: User.changeset(%User{})
  end
end

Session View


defmodule RoutingSecurelyWithPhoenixFramework.SessionView do
  use RoutingSecurelyWithPhoenixFramework.Web, :view
end

Session `new` Template


<h3>Login</h3>
<%= form_for @changeset, session_path(@conn, :create), fn f -> %>
<%= if f.errors != [] do %>
<div class="alert alert-danger">
    <p>Oops, something went wrong! Please check the errors below:</p>
    <ul>
        <%= for {attr, message} <- f.errors do %>
        <li><%= humanize(attr) %> <%= message %></li>
        <% end %>
    </ul>
</div>
<% end %>

<div class="form-group">
    <label>Name</label>
    <%= text_input f, :name, class: "form-control" %>
</div>

<div class="form-group">
    <label>Password</label>
    <%= password_input f, :password, class: "form-control" %>
</div>

<div class="form-group">
    <%= submit "Login", class: "btn btn-primary" %>
    <%= link("Sign Up", to: registration_path(@conn, :new), class: "btn btn-success pull-right") %>
</div>
<% end %>

Session Controller `create`


defmodule RoutingSecurelyWithPhoenixFramework.SessionController do
  def create(conn, %{"user" => user_params}) do
    if is_nil(user_params["name"]) do
      nil
    else
      Repo.get_by(User, name: user_params["name"])
    end
    |> sign_in(user_params["password"], conn)
  end
  # Private Functions

  @sign_in_error "Name or password are incorrect."

  defp sign_in(user, _password, conn) when is_nil(user) do
    conn
    |> put_flash(:error, @sign_in_error)
    |> render "new.html", changeset: User.changeset(%User{})
  end

  defp sign_in(user, password, conn) when is_map(user) do
    if Comeonin.Bcrypt.checkpw(password, user.password_hash) do
      conn
      |> put_session(:current_user_id, user.id)
      |> put_flash(:info, "You are now signed in.")
      |> redirect(to: page_path(conn, :index))
    else
      conn
      |> put_flash(:error, @sign_in_error)
      |> render "new.html", changeset: User.changeset(%User{})
    end
  end
end

When the new form is submitted, create will attempt to login the user.

create only looks up the user if the name is set, saving a trip to the database.

The retrieved user or nil is then passed to sign_in, which uses a guard to show an error when the user is nil, which handles both the user name being nil and the user not being found in the database.

If the user is found in the database, when come on in's bcrypt support is used to check the password against the stored password hash. If the password is correct, then the users is signed in and redirected to the landing page.

If the password is incorrect, an error is shown by redirecting to the new form.

Take note of the sign in error module attribute (@sign_in_error). I make sure to use same error whether the name and/or password is incorrect. I don't want to disclose if the name is correct, but the password is wrong as that allows for user enumeration, which can help with other attacks.

However, for this specific application, because there is open registration, users can be enumerated by trying names and seeing if they are already taken.

Session Status


<!DOCTYPE html>
<html lang="en">
  <body>
    <nav class="navbar navbar-inverse navbar-fixed-top" role="navigation">
      <div class="container">
       <div id="navbar" class="navbar-collapse collapse">
          <div class="navbar-form navbar-right">
          <%= case @conn.assigns[:current_user] do %>
          <%    nil -> %>
            <%= link "Login", class: "btn btn-success", role: "button", to: session_path(@conn, :new) %>
          <%    current_user -> %>
            <span class="label label-info">
              <%= current_user.name %>
            </span>
            <%= link "Logout", class: "btn btn-danger", role: "button", to: session_path(@conn, :delete) %>
          <% end %>
          </div>
        </div><!--/.navbar-collapse -->
      </div>
    </nav>
  </body>
</html>

Session Controller `delete`


defmodule RoutingSecurelyWithPhoenixFramework.SessionController do
  def delete(conn, _) do
    delete_session(conn, :current_user_id)
    |> put_flash(:info, "You have been logged out")
    |> redirect(to: session_path(conn, :new))
  end
end

CSRF

Overview
False CSRF Protections
CSRF Protections
CSRF Token in Forms
CSRF Token Verification
Same Origin Policy

CSRF

Cross-Site Request Forgery

User is logged into goodsite.com
User visits badsite.com
badsite.com contains a link to goodsite.com/widgets/sell
User's browser fetches link to goodsite.com using cookie from goodsite.com
badsite.com has just sold in User's account on goodsite.com to attacker

False CSRF Protections

Secret Cookie
Not accepting GET requests
Multi-Step Transactions

Having a secret cookie doesn't matter because all cookies are sent to the site that created them.

Only allowing DELETE, PATCH, POST, and PUT requests and not GET requests would prevent links triggering CSRF, but a malicious site can easily construct POST requests using hidden form fields or javascript.

Having a complex set of steps to complete a transaction, such may pages and forms to fill to do a bank transfer doesn't protect if the attacker and figure out the correct sequence of requests to fake those steps.

Rewriting URLs would involve putting the user's session ID in the URL, which means that anything that saves the URL, such as the history, then has the user's session ID in it, which can be recovered by an attacker.

CSRF Protections

GET requests MUST NOT change state
No XSS vulnerabilities
Double submit cookie in requests that change state

It is your responsibility as a developer to not have GET requests change state. In addition to malicious attackers, spiders for most search engine will follow GET links, but not other requests, so if you have a GET link that changes state, then a search engine spider can blinding start altering your application state.

Right now, the application isn't vulnerable to cross-site scripting (XSS) because no input from one user is viewable by another user, but we'll cover X-S-S protections when we get to the chat.

Using a unique token for each form is the current standard for protecting forms in web frameworks including DJango, Ruby on Rails, and Phoenix.

CSRF Token in Forms


<h3>Registration</h3>
<%= form_for @changeset, registration_path(@conn, :create), fn f -> %>


<form accept-charset="UTF-8" action="/registration" method="post">
    <input name="_csrf_token" type="hidden" value="e3JoLCxfDyBXFHYaNVgjOwEeQx4uNgAA000tv4wt1p1bv4wOMVtHiQ==">

CSRF Token Verification

`_csrf_token` (param) == `_csrf_token` (session)

The CSRF token is verified by comparing the token submitted in the request with the token storied in the session.

The CSRF token in the session can be trusted even when stored in a cookie (as is the default) because the cookie is signed and encrypted so that the user cannot tamper with it.

Each GET request for a form included a new CSRF token and modifies the session cookie so it has that same CSRF token in it. The reason an attacker cannot read the the form to recover the CSRF token a resubmit with the updated cookie due to the same origin policy.

Same Origin Policy

RFC 6454

Protocol
Host
Port

Web browsers ensure that requests from one page to another are only allowed if the protocol, host, and port match.

This prevents resources from the http version of a site accessing the secure https version of a site; google.com accessing your bank's site; and two internal apps running on different ports on your companies intranet from accessing each other.

Without same origin, CSRF couldn't be prevented with storing the token in both a resource the form and the cookie because the attacker could read the form, fill it in (with the hidden CSRF token) and the browser would send along the cookies on the attacker's behalf.

Overview

Bidirectional communications from clients
Transported over Websockets or Long Polling
Browser, Android, and iOS clients
Distributed over PubSub layer between Phoenix nodes

Pages Template


<div id="messages" class="container"></div>
<div id="footer">
  <div class="container">
    <div class="row">
      <div class="col-sm-12">
        <label for="message-input">Your Message:</label>
        <textarea id="message-input" class="form-control">
        </textarea>
      </div>
    </div>
  </div>
</div>

jQuery

package.json


{
  "dependencies": {
    "jquery": "~2.1"
  }
}

brunch-config.js


exports.config = {
  plugins: {
    babel: {
      // Do not use ES6 compiler in vendor code
      ignore: [/web\/static\/vendor/, /node_modules\/jquery/]
    }
  },
};

`socket.js`


import {Socket} from "deps/phoenix/web/static/js/phoenix"
import $ from "jquery"

let socket = new Socket("/socket")
let socketToken = $("meta[name='socket_token']").attr("content")

if (socketToken !== undefined) {
  socket.connect({token: socketToken})

  // Now that you are connected, you can join the lobby
  let channel = socket.channel("rooms:lobby", {})

  let messageInput = $("#message-input")

  messageInput.on("keypress", event => {
    if (event.keyCode === 13) {
      channel.push("new_message", {body: messageInput.val()})
      messageInput.val("")
    }
  })

  let messagesContainer = $("#messages")

  channel.on("new_message", payload => {
    messagesContainer.append(
      `
        ${Date()}
        ${payload.user.name}
        ${payload.body}
       `
    )
  })

  channel.join()
}

export default socket

mix phoenix dot new (mix phoenix.new) generates a socket dot J-S (socket.js) that is disabled by default. We'll not fill it in for our chat.

We'll get a socket_token from a meta tag because channels aren't tied to HTTP-based transports, so we can't depend on headers being sent and cookies are headers.

rooms colon lobby (rooms:lobby) is an example channel from mix phoenix dot new (mix phoenix.new).

The chat interface waits for the user to press enter, which sends the message to the server. The server then broadcasts that message to all the users in rooms colon lobby and they add the message to the chat log.

`socket_token` `meta` tag


<!DOCTYPE html>
<html lang="en">
  <head>
  <%= case @conn.assigns[:current_user] do %>
  <%    nil -> %>
  <%    current_user -> %>
    <%= tag :meta,
            content: Phoenix.Token.sign(@conn, "user", {current_user.id, current_user.socket_token}),
            name: "socket_token" %>
  <% end %>
  </head>
</html>

So, to make socket.js work we need to make socket underscore token available in a metatag, which we do by adding it to the layout.

This has to be protected if a user isn't logged in since the layout is used on login and registration pages.

To generate the actual token, we use Phoenix dot Token dot sign (Phoenix.Token.sign), passing user ("user") as the salt, which must be know on the sending and receiving side and both the user ID and the user's socket token, which hasn't been defined yet in the User model.

The socket token is used along with the id, so that the socket token can be changed if the user account is compromised and it will invalidate the signed tokens embedded in any open pages.

If just the user id is used, then there's no way to invalidate the signed token besides having the token expired as the sign function embeds the signing time, but if you can't easily make the expiration time for one user's token be earlier.

Adding `socket_token` to `users`


defmodule RoutingSecurelyWithPhoenixFramework.Repo.Migrations.AddChannelTokenToUser do
  use Ecto.Migration

  def down do
    alter table(:users) do
      remove :socket_token
    end
  end

  def up do
    alter table(:users) do
      # add socket_token as null because it needs to be populated first
      add :socket_token, :string, null: true
    end

    # populate with secure random value using same algorithm as `mix phoenix.gen.secret`
    execute "CREATE EXTENSION IF NOT EXISTS pgcrypto"
    execute "UPDATE users SET socket_token = encode(gen_random_bytes(64), 'base64') WHERE socket_token IS NULL"

    alter table(:users) do
      modify :socket_token, :string, null: false
    end
  end
end

Adding `socket_token` to `User` schema


defmodule RoutingSecurelyWithPhoenixFramework.User do
  schema "users" do
    field :socket_token, :string
  end
end

Generating secrets on registration


defmodule RoutingSecurelyWithPhoenixFramework.RegistrationController do
  def create(conn, %{"user" => user_params}) do
    changeset = User.changeset(%User{}, user_params)

    if changeset.valid? do
      full_changeset = User.full_changeset(changeset)

      case Repo.insert(full_changeset) do
        {:ok, user} ->
          conn
          |> put_flash(:info, "Successfully registered and logged in")
          |> put_session(:current_user_id, user.id)
          |> redirect(to: page_path(conn, :index))
        {:error, changeset} ->
          render conn, "new.html", changeset: changeset
      end
    else
      render conn, "new.html", changeset: changeset
    end
  end
end

`User.full_changeset/1`


defmodule RoutingSecurelyWithPhoenixFramework.User do
  @socket_token_length 64

  @doc """
  Fills `changeset` with generated columns.
  """
  def full_changeset(changeset) do
    changeset
    |> generate_password
    |> generate_socket_token
  end

  @doc """
  Generates a channel token for the user changeset.
  """
  def generate_socket_token(changeset) do
    put_change(changeset, :socket_token, generate_secret(@socket_token_length))
  end

  # Private Functions

  @doc """
  Generates a random secret string of the given `length`
  """
  defp generate_secret(length) do
    :crypto.strong_rand_bytes(length) |> Base.encode64 |> binary_part(0, length)
  end
end

`UserSocket.connect/2`


defmodule RoutingSecurelyWithPhoenixFramework.UserSocket do
  @seconds_per_minute 60
  @minutes_per_hour 60
  @hours_per_day 24
  @days_per_week 7
  @token_max_age 2 * @days_per_week * @hours_per_day * @minutes_per_hour *
                 @seconds_per_minute

  def connect(%{"token" => token}, socket) do
    case Phoenix.Token.verify(socket, "user", token, max_age: @token_max_age) do
      {:ok, {id, socket_token}} ->
        connect_user_id_and_socket_token(socket, id, socket_token)
      {:error, reason} ->
        :error
    end
  end

  defp connect_user(socket, user) do
    socket = assign(socket, :user_id, user.id)
    {:ok, socket}
  end

  defp connect_user_id_and_socket_token(socket, id, socket_token) do
    user = Repo.get_by!(User, id: id, socket_token: socket_token)
    connect_user socket, user
  end
end

I'm having the token expire every 2 just to demonstrate how to do that and because the Phoenix guides use it as an example.

Phoenix dot Token dot verify (Phoenix.Token.verify) only verifies the token is signed correctly and not expired, but that's not enough if a user's account has been compromised and needed a credentials recent in the interim since the token was signed.

To verify the token represents the user's current credentials, we use Repo dot get by bang (Repo.get_by!), which will raise an exception and kill the socket attempt if the id and socket_token don't BOTH match. This will exclude deleted users too.

We store th user ID instead of the User Struct directly so we don't have to worry about it becoming stale.

`UserSocket.id/1`


defmodule RoutingSecurelyWithPhoenixFramework.UserSocket do
  @doc """
  Group all sockets for a given user together so they can be disconnected.

  # Disconnecting a compromised user

      iex> RoutingSecurelyWithPhoenixFramework.Endpoint.broadcast("user_sockets:" <> user_id, "disconnect", %{})
  """
  def id(socket) do
    "user_sockets:#{socket.assigns.user_id}"
  end
end

`RoomChannel`


defmodule RoutingSecurelyWithPhoenixFramework.RoomChannel do
  use RoutingSecurelyWithPhoenixFramework.Web, :channel

  def join("rooms:lobby", _payload, socket) do
    {:ok, socket}
  end

  @doc """
  Get user from `socket` before handling event.
  """
  def handle_in(event, params, socket) do
    user = Repo.get! User, socket.assigns.user_id
    handle_in(event, params, user, socket)
  end

  @doc """
  Broadcast a message from one user to all users (including the originating user)
  """
  def handle_in("new_message", %{"body" => body}, user, socket) do
    broadcast! socket,
               "new_message",
               %{
                  body: body,
                  user: %{
                    name: user.name
                  }
               }
    {:noreply, socket}
  end
end

Demo

XSS

Overview
Proof-of-Concept
Prevention
Escaping Location
Escaping Channel Messages
Demo

XSS

Cross-Site Scripting

Chuck posts a message containing <script> tag
Kronic Deth views message and script executes in his browser
Chuck can now act as Kronic Deth

There are two general categories of cross-site scripting attacks persistent and non-persistent. The attack launched in the demo is non-persistent only because the server doesn't currently record the chat messages.

In the demo Chuck was able to post as Kronic Deth using Kronic Deth's socket_token from the meta tag, but Chuck's script could have just as easily entered data directly into the message input or read Kronic Deth's cookie and sent it to Chuck, which would allow Chuck to login directly as Kronic Deth.

Proof-of-Concept


<script>
  $ = require("jquery");
  userName = $("nav span.label-info").text().trim();
  
  if (userName !== "Chuck") {
    socketToken = $('meta[name="socket_token"]').attr("content");
    
    phoenix = require("deps/phoenix/web/static/js/phoenix");
    socket = new phoenix.Socket("/socket");
    socket.connect({ token: socketToken});
    channel = socket.channel("rooms:lobby", {});
    channel.join().receive("ok", function (response) {
      channel.push("new_message", { body: "Message sent by Chuck's XSS" });
    });
  }
</script>

XSS Prevention

Never Insert Untrusted Data
Escaping untrusted data must be tuned to the insertion environment
Don't write your own escaping library

Escaping Location

Client-side
- Clients can tune escaping to insertion point
- Each client has to do the escaping
Server-side
- Server escapes once and all clients can use data directly
- Don't have to worry about clients forgetting to escape
- Server has to assume insert point type on all clients

We could escape the messages either client-side using javascript before appending or we could escape on the server before broadcasting the message.

I prefer escaping on the server because it's less to do on the clients and it prevents the chance of forgetting to escape the message before it's shown to new clients, such as if messages start to be persisted and shown back to users.

Decisions on when to escape must be re-evaluated when untrusted data is used in a new location.

Escaping Channel Messages


defmodule RoutingSecurelyWithPhoenixFramework.RoomChannel do
  @doc """
  Broadcast a message from one user to all users (including the originating user)
  """
  def handle_in("new_message", %{"body" => body}, user, socket) do
    broadcast! socket,
               "new_message",
               %{
                  body: Plug.HTML.html_escape(body),
                  user: %{
                    name: Plug.HTML.html_escape(user.name)
                  }
               }
    {:noreply, socket}
  end
end

So, all we had to do was use Phoenix dot HTML dot escape (Phoenix.HTML.escape) on the message body before broadcasting it to prevent the proof-of-concept's attack.

But, a similar problem could occur with the user name, so we'll also escape that.

We use Plug dot HTML dot html underscore escape (Plug.HTML.html_escape) instead of Phoenix dot HTML dot html underscore escape (Phoenix.HTML.html_escape) because the one from Phoenix return a tuple of the atom safe (:safe and the escaped string to work with the safe vs raw strings systems used in E-E-X html templates.

Demo

Compromise Recovery

Remote Shell
Evict Attacker
Secure Victim
Invalidating Sessions
Authenticate (Review)
Authentication Tokens
Add session_token to users
Adding session_token to User schema
Authenticate with revocation
RegistrationController.create
SessionController.sign_in
Summary

Remote Shell

Run server on a named node with a known cookie

iex --cookie $COOKIE --name server@$HOST -S mix phoenix.server

Connect with remote shell

iex --cookie $COOKIE --hidden --name console@$HOST --remsh server@$HOST

Evict Attacker using Remote Shell

Setup some aliases


alias RoutingSecurelyWithPhoenixFramework.Endpoint
alias RoutingSecurelyWithPhoenixFramework.Repo
alias RoutingSecurelyWithPhoenixFramework.User

Delete attacker's account


user = Repo.get_by!(User, name: "Chuck")
Repo.delete!(user)

Disconnect attacker's sockets


Endpoint.broadcast("user_sockets:#{user.id}", "disconnect", %{})

Secure Victim using Remote Shell

Reset Password


user = Repo.get_by!(User, name: "Kronic Deth")
changeset = User.changeset user,
                           %{
                             "password" => new_password,
                             "password_confirmation" => new_password
                           }

Reset Socket Token


full_changeset = User.full_changeset(changeset)
Repo.update!(full_changeset)

Disconnect Kronic Deth's active sockets


Endpoint.broadcast("user_sockets:#{user.id}", "disconnect", %{})

But, remember, Chuck's Proof-of-Concept exploit grabbed Kronic Deth's socket token, so Kronic Deth needs a new. Additionally, the XSS could have grabbed Kronic Deth's cookie and we just didn't know about it, so we want to reset Kronic Deth's password too.

So, Kronic Deth's account would be safe now, right?

No, because we just reset his password, not his sessions, so either if either Kronic Deth or Chuck has Kronic Deth's cookie, they can just refresh the page and get the new socket token now!

Invalidating Sessions

Reset Kronic Deth's session
Reset secret_key_base

We need to either invalidate a single user's sessions or invalidate all sessions by changing secret key base. In the event of a real breach using code like Chuck posted, which would hit all users in a given channel, it would be best to invalidate everyone's session because you might not be able to track down whose credentials were and were not compromised

But, let's say you can prove only a small group of users were affected. How woudl we do that with the current Authenticate plug?

Authenticate (Review)


defmodule RoutingSecurelyWithPhoenixFramework.Plug.Authenticate
  defp assign_current_user(conn = %Plug.Conn{}) do
    assign_current_user(conn, Plug.Conn.get_session(conn, :current_user_id))
  end
  defp assign_current_user(conn, id) when is_integer(id) do
    assign_current_user(conn, Repo.get(User, id))
  end
  defp assign_current_user(conn, user = %User{}) do
    Plug.Conn.assign(conn, :current_user, user)
  end
  defp assign_current_user(conn, _), do: redirect_to_sign_in(conn)

  defp redirect_to_sign_in(conn) do
    conn
    |> Phoenix.Controller.put_flash(
         :error,
         'You need to be signed in to view this page'
       )
    |> Phoenix.Controller.redirect(to: session_path(conn, :new))
    |> Plug.Conn.halt
  end
end

Authentication Tokens

Tamper evident
Expire
Revocable by server

To summarize we want authentication tokens to be tamper evident, which they already are due to signing; expire which they do because they include the time...

[Hit enter for fragment] ... but, they must also contain an field that is updatable by the server that can be checked for correctness allowing for revocation.

The user socket token (socket_token) being embedded in the signed socket token metatag allows for it to be revoked, but there is no equivalent field in the session.

Add `session_token` to `users`


defmodule RoutingSecurelyWithPhoenixFramework.Repo.Migrations.AddSessionTokenToUser do
  use Ecto.Migration

  def down do
    alter table(:users) do
      remove :session_token
    end
  end

  def up do
    alter table(:users) do
      # add session_token as null because it needs to be populated first
      add :session_token, :string, null: true
    end

    # populate with secure random value using same algorithm as `mix phoenix.gen.secret`
    execute "CREATE EXTENSION IF NOT EXISTS pgcrypto"
    execute "UPDATE users SET session_token = encode(gen_random_bytes(64), 'base64') WHERE session_token IS NULL"

    alter table(:users) do
      modify :session_token, :string, null: false
    end
  end
end

Adding `session_token` to `User` schema


defmodule RoutingSecurelyWithPhoenixFramework.User do
  schema "users" do
    field :session_token, :string
  end
end

`User.full_changeset/1`


defmodule RoutingSecurelyWithPhoenixFramework.User do
  @token_length 64

  @doc """
  Fills `changeset` with generated columns.
  """
  def full_changeset(changeset) do
    changeset
    |> generate_password
    |> generate_token(:session)
    |> generate_token(:socket)
  end

  @doc """
  Generates a token to allow `type` credentials to be revoked.
  """
  def generate_token(changeset, type) do
    put_change(changeset, :"#{type}_token", generate_secret(@token_length))
  end
end

`Authenticate` with revocation


defmodule RoutingSecurelyWithPhoenixFramework.Plug.Authenticate do
  @doc """
  Stores `user` in session so that `call` can retrieve it.
  """
  def put_session(conn, user) do
    conn
    |> Plug.Conn.put_session(:current_user_id, user.id)
    |> Plug.Conn.put_session(:current_user_session_token, user.session_token)
  end

  # Private Functions

  defp assign_current_user(conn = %Plug.Conn{}) do
    assign_current_user conn,
                        Plug.Conn.get_session(conn, :current_user_id),
                        Plug.Conn.get_session(conn, :current_user_session_token)
  end

  defp assign_current_user(conn, id, session_token)
       when is_integer(id) and is_binary(session_token) do
    assign_current_user conn,
                        Repo.get_by(User, id: id, session_token: session_token)
  end
  defp assign_current_user(conn, _, _), do: redirect_to_sign_in(conn)

  defp assign_current_user(conn, user = %User{}) do
    Plug.Conn.assign(conn, :current_user, user)
  end
  defp assign_current_user(conn, _), do: redirect_to_sign_in(conn)
end

`RegistrationController.create`


defmodule RoutingSecurelyWithPhoenixFramework.RegistrationController do
  def create(conn, %{"user" => user_params}) do
    changeset = User.changeset(%User{}, user_params)

    if changeset.valid? do
      full_changeset = User.full_changeset(changeset)

      case Repo.insert(full_changeset) do
        {:ok, user} ->
          conn
          |> put_flash(:info, "Successfully registered and logged in")
          |> Authenticate.put_session(user)
          |> redirect(to: page_path(conn, :index))
        {:error, changeset} ->
          render conn, "new.html", changeset: changeset
      end
    else
      render conn, "new.html", changeset: changeset
    end
  end
end

`SessionController.sign_in`


defmodule RoutingSecurelyWithPhoenixFramework.SessionController do
  defp sign_in(user, password, conn) when is_map(user) do
    if Comeonin.Bcrypt.checkpw(password, user.password_hash) do
      conn
      |> put_flash(:info, "You are now signed in.")
      |> Authenticate.put_session(user)
      |> redirect(to: page_path(conn, :index))
    else
      conn
      |> put_flash(:error, @sign_in_error)
      |> render "new.html", changeset: User.changeset(%User{})
    end
  end
end

Compromise Recovery

Ensure authentication tokens are revocable
Delete attacker account
Remove attackers from system
Reset victim accounts
Force accounts to log back in

Vulnerability	Protection
Database password being disclosed from Github search	`config/*.secret.exs`
Cookie `secret_key_base` being disclosed from Github search	`config/*.secret.exs`
Password being sniffed on the network	TLS
Cookies being sniffed on the network	TLS
CSRF in HTML forms	`form_for` adds hidden `_csrf_token` input
XSS in HTML views	`Phoenix.HTML` does escaping for `*.html.eex`
XSS in channel messages	`Plug.Conn.html_escape` explicitly
Session can't be revoked	Store token in session and check against database in authentication plug
Socket access can't be revoked	Store token in signed-token and check against database in `connect/2`
Socket access can't be revoked until new websocket connection	Non-`nil` `id/1` and `Endpoint.broadcast(id, "disconnect", %{})`

Austin Elixir

Routing Securely with Phoenix Framework

This Presentation

Outline

Installation

Node

Installing Mix Archives

New Project

mix phoenix.new Options

mix phoenix.new

Fetch and Install Dependencies

Fetching and Install Dependencies for Clone

Run your application

Configuration

Default Configuration

Remove shared secret_key_base

Secret configuration for each environment

Generating new secret_key_base

Generating database password

Dev Secrets

Test Secrets

Create PostgreSQL Users

Create the database

TLS

Overview

Certificate Authority Key

Self-Signing Certificate Authority

Self-Signing Certificate Authority Distinguished Name

Viewing your self-signed certificate

openssl x509 -in certificate-authority.crt -noout -text

Server Key

Server Certificate Signing Request

Server Certificate Signing Request Distinguished Name

Signing Server Certificate Request

Trust Self-Signed Certificate Authority

OSX

Fully Qualified Domain Setup

TLS Configuration

TLS dev Configuration

TLS prod Configuration

TLS test Configuration

Testing TLS connection

Authentication

Authentication Providers

Don't store passwords if you don't have

User model

User Migration

User Schema

User Changeset

User password hashing

User Registration Routes

User Registration Controller

User Registration Controller new

User View

User new Template

User Registration Controller create

Page Routes

Page Controller Authentication

Authenticate Plug

Session Routes

Session Controller

Session Controller new

Session View

Session new Template

Session Controller create

Session Status

Session Controller delete

CSRF

CSRF

Cross-Site Request Forgery

False CSRF Protections

CSRF Protections

CSRF Token in Forms

CSRF Token Verification

_csrf_token (param) == _csrf_token (session)

Same Origin Policy

RFC 6454

Channels

Overview

Pages Template

`mix phoenix.new` Options

`mix phoenix.new`

Remove shared `secret_key_base`

Generating new `secret_key_base`

`openssl x509 -in certificate-authority.crt -noout -text`

TLS `dev` Configuration

TLS `prod` Configuration

TLS `test` Configuration

`User` model

User Registration Controller `new`

User `new` Template

User Registration Controller `create`

Session Controller `new`

Session `new` Template

Session Controller `create`

Session Controller `delete`

`_csrf_token` (param) == `_csrf_token` (session)

`socket.js`

`socket_token` `meta` tag

Adding `socket_token` to `users`

Adding `socket_token` to `User` schema

`User.full_changeset/1`

`UserSocket.connect/2`

`UserSocket.id/1`

`RoomChannel`

Add `session_token` to `users`

Adding `session_token` to `User` schema

`User.full_changeset/1`

`Authenticate` with revocation

`RegistrationController.create`

`SessionController.sign_in`