Integrity Failures in Adonisjs with Jwt Tokens

Integrity failures occur when an API fails to detect tampering with data in transit or at rest. In the context of AdonisJS applications using JWT tokens, integrity failures typically arise when tokens are accepted without proper signature validation, allowing an attacker to modify claims (such as roles, identifiers, or permissions) and have them trusted by the server.

JWTs consist of three parts: header, payload (claims), and signature. The signature ensures integrity and authenticity. If AdonisJS does not strictly verify the signature—often due to misconfigured JWT providers, missing options, or custom implementations that skip validation—an attacker can alter the payload and re-sign it using a weak algorithm (e.g., switching from HS256 to none) or a known secret. This leads to privilege escalation, unauthorized access, or bypass of business logic.

In AdonisJS, the JWT provider is commonly configured via start/kernel.ts and config/jwt.ts. If the provider is initialized without enforcing algorithm restrictions or audience/issuer checks, the application may accept tokens that do not match the expected signing key or algorithm. For example, a token issued with a symmetric secret (HS256) could be tampered with if the server also accepts asymmetric algorithms (RS256) without validating the public key. This misconfiguration breaks the integrity guarantee of the JWT.

AdonisJS does not inherently introduce integrity flaws, but the framework relies on the underlying JWT library (typically jose or jsonwebtoken) and its configuration. A common vulnerability pattern is using a shared secret across services without rotating it, or embedding sensitive data in the payload without signing. Attackers can exploit weak secrets or predictable signing keys to forge tokens that the AdonisJS application will validate successfully.

Real-world attack patterns include modifying the role claim from user to admin, changing the sub (subject) to impersonate another user, or adjusting token expiration times to maintain access. These manipulations are possible when integrity checks are incomplete or absent. The OWASP API Security Top 10 lists Broken Object Level Authorization (BOLA) and Security Misconfiguration as relevant risks that often intersect with JWT integrity failures.

To detect such issues, scans analyze how AdonisJS endpoints validate JWTs, whether they enforce strict algorithms, verify issuers and audiences, and reject unsigned tokens. Findings may reference CVE patterns where weak signing practices led to authentication bypass. Remediation requires precise configuration and coding practices to ensure every token is validated with strong integrity controls.

Remediation focuses on enforcing strict JWT validation, algorithm constraints, and secure token handling within AdonisJS. Below are concrete code examples demonstrating secure configuration and usage.

Secure JWT Provider Configuration

Configure the JWT provider in config/jwt.ts to enforce strong algorithms and validation. Avoid using the none algorithm and explicitly define allowed algorithms.

import { JWTConfig } from '@ioc/Adonis/Addons/Jwt';

const jwtConfig: JWTConfig = {
  default: {
    enabled: true,
    tokenType: 'access',
    config: {
      algorithm: 'HS256',
      secret: process.env.JWT_SECRET as string,
      sign: {
        expiresIn: '2h',
      },
      verify: {
        aud: false,
        iss: false,
      },
    },
  },
};

export default jwtConfig;

Ensure the secret is stored securely (e.g., environment variables) and is sufficiently complex. For production, prefer asymmetric algorithms like RS256 with a private/public key pair.

Strict Token Validation in Controllers

When authenticating requests, explicitly validate the token and inspect claims. Do not rely solely on middleware; verify critical claims such as issuer and audience if used.

import { HttpContextContract } from '@ioc:Adonis/Core/HttpContext';
import { BaseMiddleware } from '@ioc:Adonis/Middleware/Base';
import { JwtService } from '@ioc:Adonis/Addons/Jwt';

export default class JwtAuthMiddleware extends BaseMiddleware {
  public async handle({ request, response, auth }: HttpContextContract, next: () => Promise) {
    try {
      const token = request.headers().authorization?.replace('Bearer ', '');
      if (!token) {
        return response.unauthorized('Access token missing');
      }

      const payload = await auth.use('jwt').verifyAndDecode(token);
      // Additional integrity checks: validate custom claims if needed
      if (!payload || payload.role !== 'admin') {
        return response.forbidden('Invalid token claims');
      }

      await next();
    } catch (error) {
      return response.unauthorized('Invalid token');
    }
  }
}

This approach ensures that tokens are verified against the expected secret and that critical claims are inspected before granting access.

Preventing Algorithm Confusion

Explicitly set the algorithm in the JWT configuration and avoid accepting tokens with multiple algorithms. If using RS256, ensure the public key is correctly loaded and not derived from user input.

// Example for RS256 with explicit public key
import { readFileSync } from 'fs';

const jwtConfigRsa: JWTConfig = {
  default: {
    enabled: true,
    tokenType: 'access',
    config: {
      algorithm: 'RS256',
      publicKey: readFileSync('path/to/public.key', 'utf-8'),
      verify: {
        aud: 'my-api',
        iss: 'https://auth.myapp.com',
      },
    },
  },
};

export default jwtConfigRsa;

By enforcing algorithm restrictions and validating all parts of the token, integrity failures are mitigated. Regularly rotate secrets and monitor for anomalous token usage patterns.