Auth Bypass in Fastapi with Jwt Tokens
Auth Bypass in Fastapi with Jwt Tokens — how this specific combination creates or exposes the vulnerability
FastAPI with JWT tokens can permit an authentication bypass when token validation is incomplete or when endpoints are improperly guarded. Common patterns that lead to bypass include missing dependency enforcement, accepting tokens from untrusted sources, failing to verify signatures or audiences, and using optional dependencies where required validation is expected.
Consider an endpoint that does not require authentication because the dependency returns an empty user when the token is absent or malformed:
from fastapi import FastAPI, Depends, HTTPException
from fastapi.security import HTTPBearer, HTTPAuthorizationCredentials
import jwt
app = FastAPI()
security = HTTPBearer()
def get_current_user(credentials: HTTPAuthorizationCredentials = Depends(security)):
if credentials is None:
return None # Bypass: no rejection, no error
try:
payload = jwt.decode(credentials.credentials, "secret", algorithms=["HS256"])
return payload.get("sub")
except jwt.InvalidTokenError:
return None # Bypass: invalid token treated as unauthenticated, not rejected
@app.get("/profile")
def profile(user_id: str = Depends(get_current_user)):
if user_id is None:
return {"message": "public"}
return {"user": user_id}
In this setup, an attacker can omit the Authorization header entirely and reach the endpoint with a public response, effectively bypassing authentication. Even if a token is required, using HS256 with a weak secret or no secret allows an attacker to forge tokens. If the API also exposes unauthenticated routes that internally call authenticated dependencies with incorrect defaults, authorization logic may be conflated with authentication checks, enabling horizontal or vertical privilege escalation.
Another bypass vector involves accepting tokens in multiple locations (query parameters, headers, cookies) without consistent validation. For example, reading a token from a cookie while only enforcing the header dependency on certain routes can create an implicit bypass path:
from fastapi import Request
import jwt
def get_user_from_cookie(request: Request):
token = request.cookies.get("access_token")
if token:
try:
return jwt.decode(token, "secret", algorithms=["HS256"])
except jwt.InvalidTokenError:
return None
return None
@app.get("/data")
def get_data(user=Depends(get_user_from_cookie)):
if user:
return {"data": "sensitive"}
return {"data": "public"}
Here, an attacker can supply a valid-looking token via cookie even if the client is expected to use the Authorization header, bypassing intended transport-layer enforcement. If token validation skips audience (aud) or issuer (iss) checks, tokens issued for other services may be accepted, compounding the bypass risk.
Additionally, failing to enforce token revocation or relying solely on expiration without a denylist enables bypass via stolen but not yet expired tokens. Inadequate error handling that leaks stack traces or silently swallows exceptions can also mislead developers into believing authentication is enforced when it is not. These patterns illustrate how FastAPI with JWT tokens can expose authentication bypass when dependency wiring, token validation rigor, and routing guards are not consistently strict.
Jwt Tokens-Specific Remediation in Fastapi — concrete code fixes
Remediation centers on strict token validation, required dependencies, and consistent enforcement across endpoints. Always verify the signature, issuer, audience, and expiration. Use required dependencies that raise HTTP exceptions on failure, and avoid returning None for invalid tokens.
Use HTTPBearer with require=True to ensure every request includes credentials, and validate tokens rigorously:
from fastapi import FastAPI, Depends, HTTPException, status
from fastapi.security import HTTPBearer, HTTPAuthorizationCredentials
import jwt
from jwt import PyJWTError
app = FastAPI()
security = HTTPBearer()
SECRET = "your-strong-secret"
ALGORITHM = "HS256"
AUDIENCE = "myapi"
ISSUER = "auth.example.com"
def get_current_user(credentials: HTTPAuthorizationCredentials = Depends(security)):
try:
payload = jwt.decode(
credentials.credentials,
SECRET,
algorithms=[ALGORITHM],
audience=AUDIENCE,
issuer=ISSUER,
)
user_id = payload.get("sub")
if user_id is None:
raise HTTPException(
status_code=status.HTTP_401_UNAUTHORIZED,
detail="Invalid token claims",
headers={"WWW-Authenticate": "Bearer"},
)
return user_id
except PyJWTError as e:
raise HTTPException(
status_code=status.HTTP_401_UNAUTHORIZED,
detail=f"Invalid token: {e}",
headers={"WWW-Authenticate": "Bearer"},
)
@app.get("/profile")
def profile(user_id: str = Depends(get_current_user)):
return {"user": user_id}
This ensures that missing or malformed tokens result in 401 responses. To mitigate token replay or theft, incorporate short expirations and a revocation strategy; maintain a denylist in a fast store and check it in the dependency when necessary:
from fastapi import FastAPI, Depends, HTTPException, status
from fastapi.security import HTTPBearer, HTTPAuthorizationCredentials
import jwt
from jwt import PyJWTError
app = FastAPI()
security = HTTPBearer()
SECRET = "your-strong-secret"
ALGORITHM = "HS256"
# Example denylist; use a shared cache in production
denylist = set()
def is_token_revoked(jti: str) -> bool:
return jti in denylist
def get_current_user(credentials: HTTPAuthorizationCredentials = Depends(security)):
try:
payload = jwt.decode(credentials.credentials, SECRET, algorithms=[ALGORITHM])
jti = payload.get("jti")
if jti and is_token_revoked(jti):
raise HTTPException(
status_code=status.HTTP_401_UNAUTHORIZED,
detail="Token revoked",
headers={"WWW-Authenticate": "Bearer"},
)
return payload.get("sub")
except PyJWTError:
raise HTTPException(
status_code=status.HTTP_401_UNAUTHORIZED,
detail="Invalid token",
headers={"WWW-Authenticate": "Bearer"},
)
@app.get("/data")
def get_data(user_id: str = Depends(get_current_user)):
return {"data": "protected"}
For multi-service environments, validate issuer and audience to prevent acceptance of tokens intended for other systems. Enforce HTTPS in production by preferring secure cookie transport or strict header usage, and avoid mixing token sources (e.g., query parameters) unless explicitly required and validated. Consistent dependency usage across all protected routes ensures authentication bypass risks are minimized.
Related CWEs: authentication
| CWE ID | Name | Severity |
|---|---|---|
| CWE-287 | Improper Authentication | CRITICAL |
| CWE-306 | Missing Authentication for Critical Function | CRITICAL |
| CWE-307 | Brute Force | HIGH |
| CWE-308 | Single-Factor Authentication | MEDIUM |
| CWE-309 | Use of Password System for Primary Authentication | MEDIUM |
| CWE-347 | Improper Verification of Cryptographic Signature | HIGH |
| CWE-384 | Session Fixation | HIGH |
| CWE-521 | Weak Password Requirements | MEDIUM |
| CWE-613 | Insufficient Session Expiration | MEDIUM |
| CWE-640 | Weak Password Recovery | HIGH |