Broken Authentication in Feathersjs with Jwt Tokens
Broken Authentication in Feathersjs with Jwt Tokens — how this specific combination creates or exposes the vulnerability
FeathersJS is a framework for real-time applications that commonly uses JWT tokens for stateless authentication. A broken authentication pattern specific to this combination arises when token creation, validation, or storage is misconfigured, allowing an attacker to bypass identity checks or impersonate users. Common root causes include weak token signing keys, missing or incorrect token verification middleware, and improper handling of token payloads.
For example, if the JWT secret is weak or hardcoded, an attacker can brute-force or guess the secret and forge valid tokens. In FeathersJS, this can happen when the auth configuration uses a predictable string instead of a strong, environment-derived secret. A forged token can then be used to authenticate as any user without valid credentials.
Another scenario involves missing or misordered middleware. FeathersJS allows custom authentication hooks; if the JWT verification hook is placed after a hook that assumes user identity, unauthenticated requests may be incorrectly treated as authenticated. This misordering can lead to unauthorized access to services that rely on authenticated user data.
Additionally, tokens with excessive claims or without proper audience/issuer validation can be accepted across services unintentionally. If a FeathersJS service validates a JWT but does not verify the iss (issuer) or aud (audience), an attacker could reuse a token issued by a different service or client. Insufficient token expiration (e.g., long-lived tokens) further increases the window for token theft abuse.
Runtime exposure can also occur if authentication errors reveal whether a user exists, aiding user enumeration. If a FeathersJS authentication hook returns distinct error messages for missing users versus invalid tokens, attackers can iteratively guess valid usernames or emails. Lack of rate limiting on authentication endpoints further enables credential or token brute-force attempts.
Broken authentication in this context is not limited to initial login; it extends to token refresh, revocation, and scope handling. Without proper checks, an attacker who obtains a token may retain access well beyond intended lifetimes or escalate privileges by manipulating token scopes that FeathersJS does not strictly enforce.
Jwt Tokens-Specific Remediation in Feathersjs — concrete code fixes
Remediation centers on correct JWT configuration, strict verification, and secure token lifecycle management within FeathersJS. Use strong, dynamically generated secrets, enforce token validation parameters, and ensure middleware ordering is correct.
Secure JWT setup and secret management
Store the JWT secret in environment variables and use a cryptographically strong value. Avoid hardcoded secrets in configuration files.
// src/default.json (development template — never commit secrets)
{
"authentication": {
"secret": "${JWT_SECRET}"
}
}
Ensure the runtime environment provides JWT_SECRET. Example using dotenv:
// server.js
require('dotenv').config();
const feathers = require('@feathersjs/feathers');
const express = require('@feathersjs/express');
const app = express(feathers());
app.configure(express.rest());
app.configure(express.socketio());
// Authentication configuration with a strong secret from environment
app.configure({
authentication: {
secret: process.env.JWT_SECRET,
entity: 'user',
service: 'users',
strategy: 'jwt'
}
});
Strict JWT verification and validation
Explicitly set issuer and audience checks to prevent token reuse across services. Use the jwt strategy options to enforce these.
app.configure({
authentication: {
secret: process.env.JWT_SECRET,
entity: 'user',
service: 'users',
strategy: 'jwt',
jwt: {
algorithms: ['HS256'],
audience: 'https://api.myapp.com',
issuer: 'https://auth.myapp.com',
clockTolerance: 60
}
}
});
Ensure the JWT verification middleware is ordered before any hook that relies on authenticated user data. In a typical FeathersJS service configuration, this is handled by calling app.configure(authentication) before service definitions.
Token payload and scope hygiene
Limit the claims stored in the JWT to a minimal set (e.g., user ID and role). Avoid embedding sensitive data, as JWTs are often base64-encoded and not confidential.
// Example of a minimal payload issued by an authentication strategy
{
sub: 'usr_12345',
scope: 'read write',
role: 'authenticated',
aud: 'https://api.myapp.com',
iss: 'https://auth.myapp.com',
iat: 1718000000,
exp: 1718003600
}
Implement token revocation strategies using a denylist (e.g., stored in a fast cache) and check relevant identifiers (jti, sub, exp) on each request where feasible. Combine short token lifetimes with refresh tokens stored securely.
Operational best practices
- Enforce HTTPS in production to protect tokens in transit.
- Apply rate limiting on authentication endpoints to mitigate brute-force and token-guessing attacks.
- Use consistent, non-enumerating error messages in authentication responses to avoid user enumeration.
Related CWEs: authentication
| CWE ID | Name | Severity |
|---|---|---|
| CWE-287 | Improper Authentication | CRITICAL |
| CWE-306 | Missing Authentication for Critical Function | CRITICAL |
| CWE-307 | Brute Force | HIGH |
| CWE-308 | Single-Factor Authentication | MEDIUM |
| CWE-309 | Use of Password System for Primary Authentication | MEDIUM |
| CWE-347 | Improper Verification of Cryptographic Signature | HIGH |
| CWE-384 | Session Fixation | HIGH |
| CWE-521 | Weak Password Requirements | MEDIUM |
| CWE-613 | Insufficient Session Expiration | MEDIUM |
| CWE-640 | Weak Password Recovery | HIGH |