Checklist

• This is a bug report, not a question.
• I have searched on the issue tracker for my bug.
• I am running the latest FileBrowser version or have an issue updating.

Version

All

Description

@mtausig's report:

The usage of the session token can be improved:

• JWT are not suitable to be used as a session token and should be replaced by a random identifier stored by the application
• Storage and transmission of the tokens are also strange. They are stored in the browser's cookie jar and in the local storage and furthermore transmitted multiple times with many requests (Once as a Cookie, once via the X-Auth header). While this is not directly vulnerable, it introduces unnecessary complexity that can easily lead to errors in the future
• The same Refresh Token can be renewed at /api/renew multiple times. This should only work a single time per token.

And the following:

• GHSA-7xwp-2cpp-p8r7

Tasks

• Replace JWT session token by a random identifier stored in the database
• Replace Refresh Token by non-JWT random identifier stored in the database
• Front-end fetches user information via another means that is not the JWT
• Upon logout, invalidate identifier
• Upon renewal, invalidate identifier
• Automatically remove expired session/refresh tokens from database based on expiry
• Do not use different ways to transmit authentication token