Broken Authentication in Chi with Jwt Tokens
Broken Authentication in Chi with Jwt Tokens — how this specific combination creates or exposes the vulnerability
Chi is a pragmatic, functional-first web framework for Clojure, and JWTs are commonly used for stateless session management. When authentication logic is implemented incorrectly in Chi routes, JWTs can become a vector for Broken Authentication. This occurs when token validation is inconsistent, overly permissive, or missing entirely, allowing an attacker to bypass identity checks.
One common pattern is decoding a JWT without verifying its signature or audience. For example, if a developer uses a library to extract claims but does not validate the signing algorithm, an attacker can supply a token with alg: none or a public key as the secret. In Chi, this might manifest as a route that decodes the token but skips verification when a header flag is present:
(ns myapp.auth
(:require [cheshire.core :as json]
[buddy.sign.jwt :as jwt]))
(defn verify-token [token]
;; Vulnerable: no algorithm enforcement, no audience/issuer checks
(try
(jwt/unsign token "insecure-default-key")
(catch Exception _ nil)))
(defn public-route [request]
(let [token (get-in request [:headers "authorization"])
claims (verify-token (subs token 7))]
(if claims
{:status 200 :body (str "Hello " (:sub claims))}
{:status 401 :body "Unauthorized"})))Another issue is storing sensitive data in JWT payloads without encryption. JWTs are often base64-encoded, not encrypted; placing secrets (roles, permissions) in the payload exposes them if the token is intercepted. In Chi applications, developers might assume JWTs are confidential, leading to information disclosure when tokens are logged or leaked via referrer headers.
Additionally, missing or weak token binding enables BOLA (Broken Object Level Authorization) when JWTs contain predictable identifiers (e.g., user IDs) but lack proper authorization checks on each request. A Chi handler that trusts :sub without validating scope or re-checking permissions against a data store can allow horizontal privilege escalation. For example:
(defn user-profile [request]
(let [token-claims (jwt/unsign (subs (:authorization request) 7) "static-key")
requested-id (get-in request [:path-params :id])
user-id (:sub token-claims)]
;; BOLA risk: no check that user-id matches requested-id
{:status 200 :body (fetch-user-profile requested-id)}))These patterns illustrate how Broken Authentication in Chi with JWTs arises from missing validation, weak cryptography, and over-trust of token contents. The framework does not enforce security; it is up to the developer to implement robust token handling.
Jwt Tokens-Specific Remediation in Chi — concrete code fixes
Related CWEs: authentication
| CWE ID | Name | Severity |
|---|---|---|
| CWE-287 | Improper Authentication | CRITICAL |
| CWE-306 | Missing Authentication for Critical Function | CRITICAL |
| CWE-307 | Brute Force | HIGH |
| CWE-308 | Single-Factor Authentication | MEDIUM |
| CWE-309 | Use of Password System for Primary Authentication | MEDIUM |
| CWE-347 | Improper Verification of Cryptographic Signature | HIGH |
| CWE-384 | Session Fixation | HIGH |
| CWE-521 | Weak Password Requirements | MEDIUM |
| CWE-613 | Insufficient Session Expiration | MEDIUM |
| CWE-640 | Weak Password Recovery | HIGH |