Security roadmap

clarkwinkelmann

Flarum security roadmap

This post lists many possible improvements for Flarum regarding authentication and security. Not having them does not represent a security risk, but these would be "nice to have". As we are currently focused on getting Flarum to stable, this list serves as a reminder for both us developers and you users.

If you would like to contribute to Flarum by implementing one of those features, please check with us first to see whether we already started anything, and you can then proceed by submitting a PR.

This is a living document. It will be updated when features are implemented or new suggestions are made.

✅ = things done

API Keys

API Keys are master API tokens that can be used to perform an action as any user.
They live in the api_keys database table and have to be inserted manually at the moment.

When a user_id is defined, the API Key can only be used to authenticate as that user.

✅ Document feature in Flarum documentation
Provide UI to consult tokens
Provide UI or command to create keys
Provide UI or command to revoke keys
Implement or drop allowed_ips property
Implement or drop scopes property

Access Tokens

Access Tokens are tokens that belong to a user and are used in two ways: they can be used as API tokens, and they power the "remember me" feature.

Remember me tokens are currently created with a lifetime of 5 years and can't be revoked.

✅ API endpoint for creating tokens
✅ Expired tokens (last activity + lifetime value) deleted by CollectGarbage
✅ Document feature in Flarum documentation
API endpoint for revoking tokens
Revoke remember me token when logging out
Limit max possible lifetime of tokens. Currently, tokens can be created for any lifetime via the API
(Extension candidate) Provide UI for users to manage tokens

Cookie Session

Cookie sessions is how Flarum authenticates users of the web app.
Flarum is using the Symfony session library and supports multiple drivers. It's using the file driver by default.

✅ Expired sessions deleted by CollectGarbage
Customizable session lifetime (Default can currently be overwritten via extend.php)
Customizable session driver (can probably be changed via extend.php at the moment)
Ability to see other active sessions
Ability to terminate a remote active session or all sessions

Password reset - Password Tokens

Password reset is handled via password tokens, saved in the password_tokens table (RequestPasswordResetHandler, SavePasswordController).

✅ Tokens deleted after 24h by CollectGarbage
Rate limiting
Delete password tokens when the password is changed (currently only the used token is deleted)
Validate password according to same password rules as register (currently: no rules at all)
Delete password tokens after email change
Remove unknown user error and move all logic to a job that can be run in a queue (prevents leak by duration), so that email existence is not leaked on private forums (email is still leaked through registration form on public forums)

Email change requests - Email Tokens

Changing email is handled via email tokens, saved in the email_tokens table (EmailConfirmationMailer and ConfirmEmailHandler).

✅ Tokens deleted after 24h by CollectGarbage
✅ Tokens deleted after successful email change
Rate limiting
Delete email tokens after password reset

Account confirmation

Account validation after creating a new account (SendConfirmationEmailController).
It uses email tokens, with only the sending part being different.

Rate limiting

OAuth registration - Registration Tokens

OAuth registration is handled via registration tokens, saved in the registration_tokens table.

✅ Tokens deleted after 24h by CollectGarbage

Other session things

Global logout to clear cookie sessions and all access tokens, email tokens and password reset tokens

CSRF

CSRF stands for Cross Site Request Forgery and protects against malicious third-party websites making requests on your behalf while you're connected via cookies.

✅ Implemented since beta 9 security advisory
Should only apply to cookie requests (discussed in 1905 and 1925)

CSP

CSP stands for Content Security Policy. Flarum does not implement CSP headers, nor does it need to. But it's currently making it impractical for site owners to set it up.

eval is used to run the javascript in the post content, this is currently needed for code block formatting. We should remove as most inline javascript as possible and try to remove eval completely

If you have any suggestion, feel free to leave them below or best, start a new discussion under Feedback (check if there's one that already exists). We will try to keep non-bug related discussions on Discuss in order to not fill up the GitHub tracker with features we might or might not eventually implement.

If you discover a security vulnerability within Flarum, please send us an email so can address it promptly. See https://github.com/flarum/core/security/policy

rriivasss

Nice job

ceesdewildt

Definately nice Job, curious about the status, or is this update Jan, 2020 the latest update?

NightDriller

Like ceesdewildt it'd be great to see what the latest is here. Specifically, I'm looking out for CSP updates and the removal of eval. 👍️

tankerkiller125

NightDriller CSP is very work in progress, and for sure won't be coming until at least 2.0 given it will likely break extensions that bring in 3rd party content.