The JWT Authentication Extension was experiencing a critical vulnerability where user authentication state was being persisted across different requests due to Strawberry's extension instance reuse behavior. This could lead to session fixation, where a user could automatically inherit the authentication state of a previously logged-in user without providing credentials.
Issue:
- The extension class maintains authentication state (userID, tokens, etc.) as class attributes
- Strawberry can reuse extension instances across different requests
- This caused authentication state to leak between requests, essentially sharing sessions between different users
Fix:
- Introduced a dedicated
_init_request_state()method to reset all state variables - Removed state initialization from
__init__since the extension instance might be reused - Added explicit state reset at the beginning of each request in
on_request_start() - Updated documentation to explain the state management approach
This ensures each request starts with a fresh authentication state, preventing any session leakage between requests while maintaining the original functionality of the extension.
Testing:
- Verified that authentication state is properly isolated between requests
- Confirmed that switching between different browsers/incognito modes requires proper authentication
- Validated that existing token refresh and validation logic continues to work as expected
This fix is compatible with Strawberry GraphQL >0.243.0 and maintains backward compatibility with existing usage patterns.