security: fix O(n) timing attack in findByToken #52

Open

Charon wants to merge 1 commit from feat/fix-token-timing-attack into dev

pull from: feat/fix-token-timing-attack

merge into: core:dev

core:dev

core:feat/test-workspace-controller

core:feat/workspace-ownership-transfer

core:feat/ide-helper-annotations

core:feat/test-namespace-service

core:feat/artisan-provision-command

core:feat/workspace-activity-audit-log

core:feat/bulk-workspace-invitations

core:feat/openapi-docs

core:feat/add-infection-mutation-testing

core:feat/fix-readme-namespaces

core:feat/test-entitlement-webhook-service

core:feat/invitation-and-role-improvements

core:feat/workspace-lazy-loading

core:feat/invitation-soft-deletes

core:feat/totp-edge-case-tests

core:feat/standardise-error-responses

core:feat/entitlement-exception-hierarchy

core:feat/consolidate-user-relationships-v2

core:feat/clarify-workspace-scope-architecture

core:feat/validate-invitation-token-format

core:feat/constrain-feature-code-fk

core:feat/fix-usage-race-condition

core:feat/add-workspace-role-index

core:feat/add-phpstan-larastan

core:feat/complete-user-stats-stubs

core:feat/fix-namespace-n-plus-1

core:feat/fix-parent-feature-cascade

core:feat/namespace-cascade-delete

core:feat/pin-core-dependency

core:feat/remove-hardcoded-domain

core:feat/test-workspace-team-service

core:feat/workspace-return-types

core:main

Conversation 0 Commits 1 Files changed 3 +85 -23

Charon commented 2026-03-24 13:06:23 +00:00

Member

Copy link

Summary

Fixes #9 — eliminates O(n) timing attack surface in WorkspaceInvitation::findByToken.

• Adds a token_hash column (SHA-256 of the raw token) to workspace_invitations for O(1) indexed SQL lookup
• Rewrites findByToken() and findPendingByToken() to query by token_hash first, then verify with Hash::check() (single bcrypt call instead of up to 1000)
• Adds updating model event so re-invites also populate token_hash
• Updates HashInvitationTokens command to backfill token_hash for existing rows
• Includes migration for the new nullable indexed column

Security

The previous implementation loaded up to 1000 invitation records and ran Hash::check() (bcrypt, ~100ms each) sequentially against each. This created:

1. Timing attack — response time leaked how many records were scanned before a match
2. DoS vector — a single request could force ~100 seconds of CPU-bound bcrypt work

The fix uses SHA-256 for fast candidate lookup (non-sensitive, just an index key) and bcrypt only once for final verification.

Test plan

• Existing WorkspaceInvitationTest tests pass (findByToken, findPendingByToken, acceptInvitation, verify token)
• Run migration on dev database
• Verify new invitations populate both token and token_hash columns
• Verify re-invite flow updates token_hash when token is regenerated

🤖 Generated with Claude Code

## Summary Fixes #9 — eliminates O(n) timing attack surface in `WorkspaceInvitation::findByToken`. - Adds a `token_hash` column (SHA-256 of the raw token) to `workspace_invitations` for O(1) indexed SQL lookup - Rewrites `findByToken()` and `findPendingByToken()` to query by `token_hash` first, then verify with `Hash::check()` (single bcrypt call instead of up to 1000) - Adds `updating` model event so re-invites also populate `token_hash` - Updates `HashInvitationTokens` command to backfill `token_hash` for existing rows - Includes migration for the new nullable indexed column ## Security The previous implementation loaded up to 1000 invitation records and ran `Hash::check()` (bcrypt, ~100ms each) sequentially against each. This created: 1. **Timing attack** — response time leaked how many records were scanned before a match 2. **DoS vector** — a single request could force ~100 seconds of CPU-bound bcrypt work The fix uses SHA-256 for fast candidate lookup (non-sensitive, just an index key) and bcrypt only once for final verification. ## Test plan - [ ] Existing `WorkspaceInvitationTest` tests pass (findByToken, findPendingByToken, acceptInvitation, verify token) - [ ] Run migration on dev database - [ ] Verify new invitations populate both `token` and `token_hash` columns - [ ] Verify re-invite flow updates `token_hash` when token is regenerated 🤖 Generated with [Claude Code](https://claude.com/claude-code)

Charon added 1 commit 2026-03-24 13:06:23 +00:00

security: fix O(n) timing attack in findByToken (#9) ... dede803632

Add a SHA-256 token_hash lookup column to workspace_invitations so that
findByToken and findPendingByToken can locate the candidate row with a
single indexed SQL query instead of loading up to 1000 rows and running
bcrypt against each one sequentially.

The bcrypt hash in the token column is still verified after the O(1)
lookup, preserving the existing security guarantee while eliminating
both the timing side-channel and the performance bottleneck.

Changes:
- Migration to add nullable indexed token_hash column
- Model booted() creating/updating events compute SHA-256 alongside bcrypt
- findByToken/findPendingByToken rewritten to WHERE token_hash then Hash::check
- HashInvitationTokens command updated to populate token_hash for existing rows

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

This pull request can be merged automatically.

You are not authorized to merge this pull request.

View command line instructions

Checkout

From your project repository, check out a new branch and test the changes.

git fetch -u origin feat/fix-token-timing-attack:feat/fix-token-timing-attack

git checkout feat/fix-token-timing-attack

Merge

Merge the changes and update on Forgejo.

Warning: The "Autodetect manual merge" setting is not enabled for this repository, you will have to mark this pull request as manually merged afterwards.

git checkout dev

git merge --no-ff feat/fix-token-timing-attack

git checkout feat/fix-token-timing-attack

git rebase dev

git checkout dev

git merge --ff-only feat/fix-token-timing-attack

git checkout feat/fix-token-timing-attack

git rebase dev

git checkout dev

git merge --no-ff feat/fix-token-timing-attack

git checkout dev

git merge --squash feat/fix-token-timing-attack

git checkout dev

git merge --ff-only feat/fix-token-timing-attack

git checkout dev

git merge feat/fix-token-timing-attack

git push origin dev

Sign in to join this conversation.

Reviewers

No reviewers

Labels

Clear labels   

P1

Priority 1 - Critical

  

P2

Priority 2 - Important

  

P3

Priority 3 - Nice to have

  

PHP

PHP codebase

  

agent-ready

  

bug

Bug fix

  

clotho

Assigned to Clotho AI agent

  

discovery

Auto-discovered by agent

  

docs

Documentation

  

epic

  

refactor

Code quality refactoring

  

review

Needs human review

  

security

Security hardening

  

testing

Test coverage

  

athena

Assign to Athena AI agent (M3 Ultra)

  

athena-gemini

Dispatch to Gemini CLI on M3 Ultra

  

audit

Code audit task

  

clotho

Assign to Clotho AI agent for processing

  

clotho-gemini

Dispatch to Gemini CLI on darbs (AU)

  

codex

Dispatch to Codex CLI on gateway for analysis

  

darbs-claude

Dispatch to Claude on darbs (AU)

  

security

Security review task

  

wiki

Documentation/wiki update

No labels

P1

P2

P3

PHP

agent-ready

bug

clotho

discovery

docs

epic

refactor

review

security

testing

athena

athena-gemini

audit

clotho

clotho-gemini

codex

darbs-claude

security

wiki

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: core/php-tenant#52

No description provided.