Security: Tokens get deleted in certain cases.

[binwiederhier]

The excess query deletion logic is incorrect and can lead to tokens being deleted erroneously.

Issue

ntfy only allows 20 access tokens to be created per user. Since access tokens are also used by the browser session, excess tokens (> 20) are deleted when the 21st token is created. This excess deletion logic is meant to only delete tokens from the user creating the 21st token. Instead, it accidentally deleted all tokens of all other users, thereby logging everyone out of their ntfy web app sessions, and deleting all other access tokens.

This was a denial-of-service-type security issue, since it effectively allowed a single user to deny access to all other users of a ntfy instance. Please note that while tokens were erroneously deleted, nobody but the token owner ever had access to it.

Details

Original delete query:

DELETE FROM user_token
WHERE (user_id, token) NOT IN (
	SELECT user_id, token
	FROM user_token
	WHERE user_id = ?
	ORDER BY expires DESC
	LIMIT ?
)

Fixed query:

DELETE FROM user_token
WHERE user_id = ?
  AND (user_id, token) NOT IN (
	SELECT user_id, token
	FROM user_token
	WHERE user_id = ?
	ORDER BY expires DESC
	LIMIT ?
)

What to do

If you run a multi-user public system, please update your instances to ntfy v2.7.0

[binwiederhier]

Fixed in 3e3b556