Skip to content

Harden session_id so it isn't reconstructable by a co-tenant #29

Description

@ianpatrickhines

Surfaced by independent review of PR #25 (#12). Non-blocking; filed as follow-up.

Problem

src/lambdas/shared/session_state.pymake_session_id returns a deterministic transform of the caller's identity:

f"v1:{len(nation_slug)}:{nation_slug}#{user_id}"

Both user_id and nation_slug appear in every authenticated request (and in logs). A user within the same nation who observes a colleague's user_id can reconstruct that colleague's session_id and attempt to call filter_authorized_confirmations against it — a narrow cross-user confirmation-hijack window (requires co-tenancy + observing user_id + timing between record_pending_confirmation and consume_confirmation).

Severity is low given the per-nation co-tenant trust model, but it's real.

Acceptance Criteria

  • session_id includes a cryptographically random, server-held component (per-session nonce minted at login) OR is derived as HMAC(secret, f"{user_id}:{nation_slug}") so it cannot be reconstructed from observable identity values
  • A caller who knows another user's user_id/nation_slug cannot derive their session_id
  • Existing confirmation/undo flows still pass

Source: PR #25 review. Relates to epic #18.

Metadata

Metadata

Assignees

No one assigned

    Labels

    securitySecurity hardening

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions