Jwt Misconfiguration in Adonisjs with Jwt Tokens

JWT misconfiguration in AdonisJS applications commonly arises when tokens are issued or validated with weak cryptographic settings, overly permissive claims, or missing validation steps. AdonisJS relies on the jwt provider from @adonisjs/auth, and misconfigured usage can lead to insecure token handling that attackers can exploit.

One frequent issue is using a weak or default secret for signing tokens. If the application does not override the default secret, an attacker who discovers the default can forge tokens and impersonate any user. Similarly, using weak algorithms such as HS256 with a shared secret that is too short, or failing to explicitly specify the algorithm during verification, can expose the system to algorithm-switching attacks where a token signed with HS256 is treated as an unsigned token (e.g., alg: none) by an insecure verifier.

Another misconfiguration involves token payload claims. Failing to set reasonable expiration times (exp) or omitting the nbf (not before) and iat (issued at) claims can result in tokens that are valid indefinitely or are accepted before their intended activation window. Missing audience (aud) or issuer (iss) validation can also allow tokens issued for one service to be accepted by another service, leading to authorization bypass across components.

Implementation mistakes in AdonisJS routes and providers can further amplify risk. For example, not validating the token on each request, or validating it only at the route level without ensuring middleware consistency, can leave some endpoints unprotected. Additionally, storing sensitive data directly inside the token payload should be avoided because JWTs are often base64-encoded and easily decoded, leading to inadvertent data exposure.

During scanning, middleBrick detects weak token configurations by correlating runtime behavior with OpenAPI specifications and security checks. It flags missing algorithm enforcement, missing token validation on sensitive endpoints, and tokens with missing or weak expiration settings. These findings align with the Authentication and Authorization checks, and are mapped to the OWASP API Top 10 and common compliance frameworks.

To remediate JWT misconfiguration in AdonisJS, enforce strong signing algorithms, explicit claims, and strict validation in both token creation and verification. The following examples demonstrate secure patterns using AdonisJS's built-in JWT utilities.

1. Secure Token Generation

When issuing tokens, specify a strong algorithm, an explicit issuer and audience, and set reasonable expiration times. Avoid relying on framework or library defaults.

import { BaseProvider } from '@ioc:Adonis/Core/Provider'
import { JwtProviderContract } from '@ioc:Adonis/Addons/Jwt'
import { HttpContextContract } from '@ioc:Adonis/Core/HttpContext'

export default class JwtExampleProvider extends BaseProvider {
  public async handle() {
    const jwt = this.container.use('Adonis/Core/Jwt') as JwtProviderContract

    // Example login route producing a well-formed token
    this.app.container.singleton('App/Controllers/Http/jwtHelper', () => {
      return {
        async issueToken(userId: number, httpContext: HttpContextContract) {
          const token = jwt.sign(
            {
              payload: {
                sub: String(userId),
                iat: Math.floor(Date.now() / 1000),
                exp: Math.floor(Date.now() / 1000) + 60 * 60, // 1 hour
                iss: 'my-adonis-api',
                aud: 'web-client'
              },
              algorithm: 'HS512' // strong symmetric algorithm
            },
            Buffer.from(process.env.JWT_SECRET!, 'base64') // strong secret
          )
          return token
        }
      }
    })
  }
}

2. Secure Token Validation

On each authenticated request, verify the algorithm, issuer, audience, and expiration. Do not skip verification for "trusted" origins.

import { HttpContextContract } from '@ioc:Adonis/Core/HttpContext'
import { JwtProviderContract } from '@ioc:Adonis/Addons/Jwt'

export async function authenticateUser({ request, auth, response }: HttpContextContract) {
  const jwt = use('Adonis/Core/Jwt') as JwtProviderContract

  const header = request.headers().authorization
  if (!header || !header.startsWith('Bearer ')) {
    response.unauthorized('Missing bearer token')
    return null
  }

  const token = header.split(' ')[1]
  try {
    // Explicitly verify algorithm and claims
    const payload = jwt.verify(token, Buffer.from(process.env.JWT_SECRET!, 'base64'), {
      algorithms: ['HS512'],
      issuer: 'my-adonis-api',
      audience: 'web-client',
      clockTolerance: 60
    })

    const userId = Number(payload.sub)
    if (!userId) {
      response.unauthorized('Invalid token payload')
      return null
    }

    // Attach user to request/auth context as appropriate
    return userId
  } catch (error) {
    response.unauthorized('Invalid or expired token')
    return null
  }
}

3. Route-Level Protection

Ensure middleware applies consistently and that sensitive routes are not accidentally exposed to unauthenticated access.

// In routes.ts
import Route from '@ioc:Adonis/Core/Route'
import authenticateUser from 'App/Helpers/authenticateUser'

Route.group(() => {
  Route.get('/profile', authenticateUser, async ({ auth }) => {
    const user = await auth.getUserOrFail()
    return { user: user.serialize() }
  })
}).prefix('api/v1')

4. Environment and Secret Management

Store the JWT secret outside the codebase and use a strong, randomly generated value. Rotate secrets periodically and avoid sharing secrets between services with different trust boundaries.

# .env
JWT_SECRET=BASE64_ENCODED_256_BIT_OR_512_BIT_RANDOM_SECRET