Broken Authentication in Nestjs with Hmac Signatures

Broken Authentication in a NestJS API that uses Hmac Signatures typically arises when the implementation does not consistently validate the signature or when the signature is computed over insufficient or mutable data. Hmac Signatures are designed to prove integrity and authenticity: the client computes a hash-based message authentication code over selected parts of the request using a shared secret, and the server recomputes it and compares the values. A vulnerability occurs when the comparison is missing, performed incorrectly, or when the signed payload can be altered without detection.

Consider a NestJS controller that accepts a JSON payload and an X-Signature header. If the server computes the Hmac over only a subset of fields (e.g., only the username) but the client signs a larger structure (e.g., username + timestamp + action), an attacker can modify the unsigned parts (such as the action or additional metadata) without invalidating the signature. This is a common misconfiguration that leads to Broken Authentication, enabling privilege escalation or unauthorized actions.

Another frequent pattern in NestJS is using the raw body stream to compute the Hmac. If the body is consumed by a previous middleware for logging or validation before the authentication middleware runs, the server will compute the Hmac over a different byte sequence than the client, causing a mismatch or, worse, leading the developer to disable strict validation to avoid false negatives. This effectively neutralizes the integrity guarantee of Hmac Signatures.

In practice, an attacker can exploit these issues to perform BOLA/IDOR by tampering with identifiers in the payload, or to escalate privileges by changing role flags that are not covered by the signature. Because the NestJS application appears to enforce Hmac-based authentication, the attack surface is larger than a missing authentication check: it gives a false sense of security while allowing tampering of critical parameters.

Real-world attack patterns such as parameter manipulation and replay can occur when timestamps or nonces are not validated alongside the Hmac. Even with a strong algorithm like sha256, if the comparison is not performed in constant time, timing attacks can leak information about the signature, aiding an attacker in bypassing authentication. Therefore, the combination of NestJS flexibility and Hmac Signatures requires precise alignment on what is signed, how the body is handled, and how the comparison is implemented.

To remediate Broken Authentication when using Hmac Signatures in NestJS, ensure that the server computes the Hmac over the exact byte sequence sent by the client and that the comparison is performed securely. Below is a complete, syntactically correct example that demonstrates a robust approach using an interceptor and a guard.

import { Injectable, NestInterceptor, ExecutionContext, CallHandler } from '@nestjs/common';
import { Observable } from 'rxjs';
import { createHmac } from 'crypto';

interface HmacContext {
  timestamp: string;
  signature: string;
}

@Injectable()
export class HmacValidationInterceptor implements NestInterceptor {
  private readonly sharedSecret: string;

  constructor() {
    // In production, load this from a secure secret manager or env vars
    this.sharedSecret = process.env.HMAC_SHARED_SECRET || 'dev-secret-change-in-prod';
  }

  async intercept(context: ExecutionContext, next: CallHandler): Observable {
    const request = context.switchToHttp().getRequest();
    const timestamp = request.headers['x-timestamp'] as string;
    const receivedSignature = request.headers['x-signature'] as string;

    if (!timestamp || !receivedSignature) {
      throw new Error('Missing Hmac headers');
    }

    // Ensure the body is a Buffer/raw payload used for signing
    const body = request.body;
    // Include critical fields and the timestamp to prevent replay
    const payload = JSON.stringify({
      timestamp,
      path: request.path,
      method: request.method,
      body,
    });

    const computed = createHmac('sha256', this.sharedSecret).update(payload).digest('hex');

    // Constant-time comparison to mitigate timing attacks
    const isValid = this.safeCompare(computed, receivedSignature);
    if (!isValid) {
      throw new Error('Invalid Hmac signature');
    }

    // Optional: reject stale requests to mitigate replay
    const requestTime = new Date(timestamp).getTime();
    const now = Date.now();
    const windowMs = 5 * 60 * 1000; // 5 minutes
    if (Math.abs(now - requestTime) > windowMs) {
      throw new Error('Request timestamp outside allowed window');
    }

    return next.handle();
  }

  private safeCompare(a: string, b: string): boolean {
    if (a.length !== b.length) {
      return false;
    }
    let result = 0;
    for (let i = 0; i < a.length; i++) {
      result |= a.charCodeAt(i) ^ b.charCodeAt(i);
    }
    return result === 0;
  }
}