feat: add token prefixes to session and logout tokens (ory#3132)

This feature adds token prefixes to Ory session and logout tokens:

* `ory_st_`: Ory session token prefix
* `ory_lt_`: Logout token prefix

.github/workflows/ci.yaml

@@ -53,7 +53,7 @@ jobs:
     steps:
       - run: |
           docker create --name cockroach -p 26257:26257 \
-            cockroachdb/cockroach:v22.1.3 start-single-node --insecure
+            cockroachdb/cockroach:v22.2.6 start-single-node --insecure
           docker start cockroach
         name: Start CockroachDB
       - run: |
@@ -145,7 +145,7 @@ jobs:
           node-version: 16
       - run: |
           docker create --name cockroach -p 26257:26257 \
-            cockroachdb/cockroach:v20.2.5 start-single-node --insecure
+            cockroachdb/cockroach:v22.2.6 start-single-node --insecure
           docker start cockroach
         name: Start CockroachDB
       - uses: browser-actions/setup-chrome@latest

persistence/sql/migratest/fixtures/session/068f6bb6-d15f-436d-94f7-b3fd0489c9ef.json

@@ -0,0 +1,44 @@
+{
+  "id": "068f6bb6-d15f-436d-94f7-b3fd0489c9ef",
+  "active": false,
+  "expires_at": "2013-10-07T08:23:19Z",
+  "authenticated_at": "2013-10-07T08:23:19Z",
+  "authenticator_assurance_level": "aal2",
+  "authentication_methods": [
+    {
+      "method": "password",
+      "aal": "",
+      "completed_at": "0001-01-01T00:00:00Z"
+    },
+    {
+      "method": "totp",
+      "aal": "",
+      "completed_at": "0001-01-01T00:00:00Z"
+    }
+  ],
+  "issued_at": "2013-10-07T08:23:19Z",
+  "identity": {
+    "id": "5ff66179-c240-4703-b0d8-494592cefff5",
+    "schema_id": "default",
+    "schema_url": "https://www.ory.sh/schemas/ZGVmYXVsdA",
+    "state": "active",
+    "traits": {
+      "email": "[email protected]"
+    },
+    "verifiable_addresses": [
+      {
+        "id": "45e867e9-2745-4f16-8dd4-84334a252b61",
+        "value": "[email protected]",
+        "verified": false,
+        "via": "email",
+        "status": "pending",
+        "created_at": "2013-10-07T08:23:19Z",
+        "updated_at": "2013-10-07T08:23:19Z"
+      }
+    ],
+    "metadata_public": null,
+    "created_at": "2013-10-07T08:23:19Z",
+    "updated_at": "2013-10-07T08:23:19Z"
+  },
+  "devices": []
+}

persistence/sql/migratest/migration_test.go

@@ -88,7 +88,7 @@ func TestMigrations(t *testing.T) {
 				connections["mysql"] = dockertest.ConnectToTestMySQLPop(t)
 			},
 			func() {
-				connections["cockroach"] = dockertest.ConnectToTestCockroachDBPop(t)
+				connections["cockroach"] = dockertest.ConnectPop(t, dockertest.RunTestCockroachDBWithVersion(t, "v22.2.6"))
 			},
 		})
 	}

persistence/sql/migratest/testdata/20230313141439_testdata.sql

@@ -0,0 +1,6 @@
+INSERT INTO sessions (id, nid, issued_at, expires_at, authenticated_at, created_at, updated_at, token, identity_id,
+                      active, logout_token, aal, authentication_methods)
+VALUES ('068f6bb6-d15f-436d-94f7-b3fd0489c9ef', '884f556e-eb3a-4b9f-bee3-11345642c6c0', '2013-10-07 08:23:19',
+        '2013-10-07 08:23:19', '2013-10-07 08:23:19', '2013-10-07 08:23:19', '2013-10-07 08:23:19',
+        'ory_lo_5e5aad0f7a4143452df3d23733a68e3', '5ff66179-c240-4703-b0d8-494592cefff5', true, 'ory_st_5e5aad0f7a4143452df3d23733a68e2', 'aal2',
+        '[{"method":"password"},{"method":"totp"}]');

persistence/sql/migrations/sql/20230313141439000000_session_token_length.cockroach.down.sql

@@ -0,0 +1,5 @@
+-- Downsizing is not yet supported in CockroachDB. Since this migration has no real-world impact on the application, we can safely
+-- not execute it.
+--
+-- ALTER TABLE sessions ALTER COLUMN token TYPE varchar(32);
+-- ALTER TABLE sessions ALTER COLUMN logout_token TYPE varchar(32);

persistence/sql/migrations/sql/20230313141439000000_session_token_length.down.sql

@@ -0,0 +1,2 @@
+ALTER TABLE sessions ALTER COLUMN token TYPE varchar(32);
+ALTER TABLE sessions ALTER COLUMN logout_token TYPE varchar(32);

persistence/sql/migrations/sql/20230313141439000000_session_token_length.mysql.down.sql

@@ -0,0 +1,2 @@
+ALTER TABLE sessions MODIFY COLUMN token varchar(32) NULL;
+ALTER TABLE sessions MODIFY COLUMN logout_token varchar(32) NULL;

persistence/sql/migrations/sql/20230313141439000000_session_token_length.mysql.up.sql

@@ -0,0 +1,2 @@
+ALTER TABLE sessions MODIFY COLUMN token varchar(39) NULL;
+ALTER TABLE sessions MODIFY COLUMN logout_token varchar(39) NULL;

persistence/sql/migrations/sql/20230313141439000000_session_token_length.sqlite3.down.sql

@@ -0,0 +1,29 @@
+DROP INDEX sessions_token_uq_idx;
+DROP INDEX sessions_logout_token_uq_idx;
+DROP INDEX sessions_token_nid_idx;
+
+ALTER TABLE sessions RENAME COLUMN token TO old_token;
+ALTER TABLE sessions RENAME COLUMN logout_token TO old_logout_token;
+
+ALTER TABLE sessions
+  ADD COLUMN token varchar(32) NULL;
+ALTER TABLE sessions
+  ADD COLUMN logout_token varchar(32) NULL;
+
+UPDATE sessions
+SET token = old_token
+WHERE true;
+
+UPDATE sessions
+SET logout_token = old_logout_token
+WHERE true;
+
+ALTER TABLE sessions
+  DROP COLUMN old_token;
+
+ALTER TABLE sessions
+  DROP COLUMN old_logout_token;
+
+CREATE UNIQUE INDEX sessions_token_uq_idx ON sessions (logout_token);
+CREATE UNIQUE INDEX sessions_logout_token_uq_idx ON sessions (token);
+CREATE INDEX sessions_token_nid_idx ON sessions (nid, token);

persistence/sql/migrations/sql/20230313141439000000_session_token_length.sqlite3.up.sql

@@ -0,0 +1,27 @@
+DROP INDEX sessions_token_uq_idx;
+DROP INDEX sessions_logout_token_uq_idx;
+DROP INDEX sessions_token_nid_idx;
+
+ALTER TABLE sessions RENAME COLUMN token TO old_token;
+ALTER TABLE sessions RENAME COLUMN logout_token TO old_logout_token;
+ALTER TABLE sessions
+  ADD COLUMN token varchar(39) NULL;
+ALTER TABLE sessions
+  ADD COLUMN logout_token varchar(39) NULL;
+
+UPDATE sessions
+SET token = old_token
+WHERE true;
+
+UPDATE sessions
+SET logout_token = old_logout_token
+WHERE true;
+
+ALTER TABLE sessions
+  DROP COLUMN old_token;
+ALTER TABLE sessions
+  DROP COLUMN old_logout_token;
+
+CREATE UNIQUE INDEX sessions_token_uq_idx ON sessions (logout_token);
+CREATE UNIQUE INDEX sessions_logout_token_uq_idx ON sessions (token);
+CREATE INDEX sessions_token_nid_idx ON sessions (nid, token);

persistence/sql/migrations/sql/20230313141439000000_session_token_length.up.sql

@@ -0,0 +1,2 @@
+ALTER TABLE sessions ALTER COLUMN token TYPE varchar(39);
+ALTER TABLE sessions ALTER COLUMN logout_token TYPE varchar(39);

persistence/sql/migrations/sql/20230313141439000001_session_token_length.down.sql

@@ -0,0 +1,2 @@
+UPDATE sessions SET token = LEFT(token, 32) WHERE TRUE;
+UPDATE sessions SET logout_token = LEFT(logout_token, 32) WHERE TRUE;

persistence/sql/migrations/sql/20230313141439000001_session_token_length.sqlite3.down.sql

@@ -0,0 +1,2 @@
+UPDATE sessions SET token = substr(token, 0, 32) WHERE TRUE;
+UPDATE sessions SET logout_token = substr(logout_token, 0, 32) WHERE TRUE;

persistence/sql/migrations/sql/20230313141439000001_session_token_length.up.sql

@@ -0,0 +1 @@
+--

quickstart-crdb.yml

@@ -10,7 +10,7 @@ services:
       - DSN=cockroach://root@cockroachd:26257/defaultdb?sslmode=disable&max_conns=20&max_idle_conns=4
 
   cockroachd:
-    image: cockroachdb/cockroach:v21.2.4
+    image: cockroachdb/cockroach:v22.2.6
     ports:
       - "26257:26257"
     command: start-single-node --insecure

script/testenv.sh

@@ -3,7 +3,7 @@
 docker rm -f kratos_test_database_mysql kratos_test_database_postgres kratos_test_database_cockroach kratos_test_hydra || true
 docker run --platform linux/amd64 --name kratos_test_database_mysql -p 3444:3306 -e MYSQL_ROOT_PASSWORD=secret -d mysql:8.0.23
 docker run --platform linux/amd64 --name kratos_test_database_postgres -p 3445:5432 -e POSTGRES_PASSWORD=secret -e POSTGRES_DB=postgres -d postgres:11.8 postgres -c log_statement=all
-docker run --platform linux/amd64 --name kratos_test_database_cockroach -p 3446:26257 -p 3447:8080 -d cockroachdb/cockroach:v21.2.6 start-single-node --insecure
+docker run --platform linux/amd64 --name kratos_test_database_cockroach -p 3446:26257 -p 3447:8080 -d cockroachdb/cockroach:v22.2.6 start-single-node --insecure
 docker run --platform linux/amd64 --name kratos_test_hydra -p 4444:4444 -p 4445:4445 -d -e DSN=memory -e URLS_SELF_ISSUER=http://localhost:4444/ -e URLS_LOGIN=http://localhost:4446/login -e URLS_CONSENT=http://localhost:4446/consent oryd/hydra:v2.0.2 serve all --dev
 
 source script/test-envs.sh

session/session.go

@@ -12,6 +12,8 @@ import (
 	"strings"
 	"time"
 
+	"github.com/ory/kratos/x"
+
 	"github.com/ory/x/httpx"
 	"github.com/ory/x/pagination/keysetpagination"
 	"github.com/ory/x/stringsx"
@@ -214,8 +216,8 @@ func NewActiveSession(r *http.Request, i *identity.Identity, c lifespanProvider,
 func NewInactiveSession() *Session {
 	return &Session{
 		ID:                          uuid.Nil,
-		Token:                       randx.MustString(32, randx.AlphaNum),
-		LogoutToken:                 randx.MustString(32, randx.AlphaNum),
+		Token:                       x.OrySessionToken + randx.MustString(32, randx.AlphaNum),
+		LogoutToken:                 x.OryLogoutToken + randx.MustString(32, randx.AlphaNum),
 		Active:                      false,
 		AuthenticatorAssuranceLevel: identity.NoAuthenticatorAssuranceLevel,
 	}

test/e2e/run.sh

@@ -79,7 +79,7 @@ prepare() {
     docker rm -f kratos_test_database_mysql kratos_test_database_postgres kratos_test_database_cockroach || true
     docker run --platform linux/amd64 --name kratos_test_database_mysql -p 3444:3306 -e MYSQL_ROOT_PASSWORD=secret -d mysql:5.7
     docker run --name kratos_test_database_postgres -p 3445:5432 -e POSTGRES_PASSWORD=secret -e POSTGRES_DB=postgres -d postgres:9.6 postgres -c log_statement=all
-    docker run --name kratos_test_database_cockroach -p 3446:26257 -d cockroachdb/cockroach:v20.2.4 start-single-node --insecure
+    docker run --name kratos_test_database_cockroach -p 3446:26257 -d cockroachdb/cockroach:v22.2.6 start-single-node --insecure
 
     export TEST_DATABASE_MYSQL="mysql://root:secret@(localhost:3444)/mysql?parseTime=true&multiStatements=true"
     export TEST_DATABASE_POSTGRESQL="postgres://postgres:secret@localhost:3445/postgres?sslmode=disable"

x/token_prefixes.go

@@ -0,0 +1,7 @@
+// Copyright © 2023 Ory Corp
+// SPDX-License-Identifier: Apache-2.0
+
+package x
+
+const OrySessionToken = "ory_st_"
+const OryLogoutToken = "ory_lo_"