|
| 1 | +# API Tokens of deleted users not invalidated |
| 2 | + |
| 3 | +--- |
| 4 | + |
| 5 | +## Summary |
| 6 | + |
| 7 | +Coder identified an issue in [https://github.com/coder/coder](https://github.com/coder/coder) where API tokens belonging to a deleted user were not invalidated. A deleted user in possession of a valid and non-expired API token is still able to use the above token with their full suite of capabilities. |
| 8 | + |
| 9 | +## Impact: HIGH |
| 10 | + |
| 11 | +If exploited, an attacker could perform any action that the deleted user was authorized to perform. |
| 12 | + |
| 13 | +## Exploitability: HIGH |
| 14 | + |
| 15 | +The CLI writes the API key to `~/.coderv2/session` by default, so any deleted user who previously logged in via the Coder CLI has the potential to exploit this. Note that there is a time window for exploitation; API tokens have a maximum lifetime after which they are no longer valid. |
| 16 | + |
| 17 | +The issue only affects users who were active (not suspended) at the time they were deleted. Users who were first suspended and later deleted cannot exploit this issue. |
| 18 | + |
| 19 | +## Affected Versions |
| 20 | + |
| 21 | +All versions of Coder between v0.8.15 and v0.22.2 (inclusive) are affected. |
| 22 | + |
| 23 | +All customers are advised to upgrade to [v0.23.0](https://github.com/coder/coder/releases/tag/v0.23.0) as soon as possible. |
| 24 | + |
| 25 | +## Details |
| 26 | + |
| 27 | +Coder incorrectly failed to invalidate API keys belonging to a user when they were deleted. When authenticating a user via their API key, Coder incorrectly failed to check whether the API key corresponds to a deleted user. |
| 28 | + |
| 29 | +## Indications of Compromise |
| 30 | + |
| 31 | +> 💡 Automated remediation steps in the upgrade purge all affected API keys. Either perform the following query before upgrade or run it on a backup of your database from before the upgrade. |
| 32 | +
|
| 33 | +Execute the following SQL query: |
| 34 | + |
| 35 | +```sql |
| 36 | +SELECT |
| 37 | + users.email, |
| 38 | + users.updated_at, |
| 39 | + api_keys.id, |
| 40 | + api_keys.last_used |
| 41 | +FROM |
| 42 | + users |
| 43 | +LEFT JOIN |
| 44 | + api_keys |
| 45 | +ON |
| 46 | + api_keys.user_id = users.id |
| 47 | +WHERE |
| 48 | + users.deleted |
| 49 | +AND |
| 50 | + api_keys.last_used > users.updated_at |
| 51 | +; |
| 52 | +``` |
| 53 | + |
| 54 | +If the output is similar to the below, then you are not affected: |
| 55 | + |
| 56 | +```sql |
| 57 | +----- |
| 58 | +(0 rows) |
| 59 | +``` |
| 60 | + |
| 61 | +Otherwise, the following information will be reported: |
| 62 | + |
| 63 | +- User email |
| 64 | +- Time the user was last modified (i.e. deleted) |
| 65 | +- User API key ID |
| 66 | +- Time the affected API key was last used |
| 67 | + |
| 68 | +> 💡 If your license includes the [Audit Logs](https://coder.com/docs/v2/latest/admin/audit-logs#filtering-logs) feature, you can then query all actions performed by the above users by using the filter `email:$USER_EMAIL`. |
0 commit comments