HIGH missing authenticationfeathersjsjwt tokens

Missing Authentication in Feathersjs with Jwt Tokens

Scan for missing authentication in feathersjs

Missing Authentication in Feathersjs with Jwt Tokens — how this specific combination creates or exposes the vulnerability

FeathersJS is a framework for real-time applications that commonly uses JWT tokens for stateless authentication. When authentication is misconfigured or omitted, endpoints that should be protected become exposed. This typically occurs when service hooks or routes are defined without requiring a valid JWT, or when the JWT verification hook is conditionally bypassed. An attacker can directly call these unauthenticated service methods, invoking business logic or data access that should be restricted.

Consider a FeathersJS service for user profiles defined without authentication guards. If the service does not enforce authentication at the Feathers hook layer, an unauthenticated request can retrieve or modify records. Even when JWT is intended for protection, inconsistent usage across services or failure to apply the authentication hook to all relevant services creates a BOLA/IDOR pattern. For example, an endpoint like /users/:id may rely on JWT claims to ensure users can only access their own data; missing or incorrect hook configuration allows one user to enumerate or modify another user’s resource by guessing IDs.

Real-world risk patterns observed in testing include services that skip authentication when a query parameter or header is set, or services that trust internal network assumptions. Because FeathersJS allows flexible hook composition, omitting the authentication hook or placing it after business logic can lead to unauthenticated execution. The scanner runs unauthenticated checks against the live API surface and detects endpoints that return data without requiring valid JWTs, mapping findings to the Authentication and BOLA/IDOR categories from OWASP API Top 10.

Additionally, if JWT validation is implemented but only applied to a subset of routes, an attacker can pivot from an unauthenticated entry point to access protected data. This can be exacerbated by weak token handling, such as accepting unsigned tokens or failing to validate the issuer and audience. The scanner’s Authentication check tests whether endpoints enforce token validation, while the BOLA/IDOR check verifies that authorization aligns with resource ownership.

Jwt Tokens-Specific Remediation in Feathersjs — concrete code fixes

To secure FeathersJS services with JWT tokens, consistently apply authentication hooks and validate tokens on every service that requires protection. Use the official @feathersjs/authentication and @feathersjs/authentication-jwt packages to centralize token verification. Define an authentication hook that checks for a valid JWT and attaches the decoded payload to the request context. Then enforce this hook in your service configuration.

Below is a complete, syntactically correct example that configures JWT authentication and applies it to a FeathersJS service. This ensures that every call to the service requires a valid token and that the user ID in the token is correctly mapped for authorization checks.

// src/authentication.js
const { AuthenticationService } = require('@feathersjs/authentication');
const { JWTStrategy } = require('@feathersjs/authentication-jwt');
const { express } = require('@feathersjs/express');

const authentication = new AuthenticationService(express.app);

authentication.register('jwt', new JWTStrategy());

// Optional: customize how the payload is transformed into the user object
authentication.hooks({
  before: {
    create: [authentication.hooks.authenticate('jwt')],
    find: [authentication.hooks.authenticate('jwt')],
    get: [authentication.hooks.authenticate('jwt')],
    update: [authentication.hooks.authenticate('jwt')],
    patch: [authentication.hooks.authenticate('jwt')],
    remove: [authentication.hooks.authenticate('jwt')]
  },
  after: {
    create: [context => {
      // Example: ensure the authenticated user matches the target user ID for sensitive operations
      const { user } = context.params;
      if (context.method === 'get' && context.result && context.result.userId !== user.id) {
        throw new Error('Unauthorized');
      }
      return context;
    }]
  }
});

module.exports = authentication;

Apply this authentication service in your main app setup and configure services to use the authentication hook. The following snippet shows how to register the auth service and protect a user service so that only requests with valid JWTs can proceed.

// src/app.js
const feathers = require('@feathersjs/feathers');
const express = require('@feathsjs/express');
const authentication = require('./authentication');
const userService = require('./services/users/users.service');

const app = express(feathers());

// Register authentication service before other services
app.configure(authentication);

// Configure the user service to require authentication
app.use('/users', userService);
app.service('users').hooks({
  before: {
    all: [authentication.hooks.authenticate('jwt')],
    find: [context => {
      // Example: restrict listing to admins by inspecting decoded JWT
      const { scope } = context.params.user || {};
      if (!scope || !scope.includes('users:read')) {
        throw new Error('Forbidden: insufficient scope');
      }
      return context;
    }],
    get: [context => {
      // Enforce user-level authorization: users can only fetch their own profile
      const { id } = context.params;
      const { user } = context.params;
      if (user.userId !== id) {
        throw new Error('Forbidden: cannot access other user data');
      }
      return context;
    }],
    create: [context => {
      // Ensure required fields and validate input
      const { email } = context.data;
      if (!email) {
        throw new Error('Email is required');
      }
      return context;
    }]
  }
});

These examples illustrate how to bind JWT verification to all CRUD operations, ensuring that missing authentication is not possible for the protected service. For additional safety, combine JWT validation with explicit role- or scope-based checks in after hooks to enforce least privilege. The scanner’s Authentication, BOLA/IDOR, and Unsafe Consumption checks validate these controls by probing endpoints both with and without tokens and inspecting token handling logic.

Related CWEs: authentication

CWE IDNameSeverity
CWE-287Improper Authentication CRITICAL
CWE-306Missing Authentication for Critical Function CRITICAL
CWE-307Brute Force HIGH
CWE-308Single-Factor Authentication MEDIUM
CWE-309Use of Password System for Primary Authentication MEDIUM
CWE-347Improper Verification of Cryptographic Signature HIGH
CWE-384Session Fixation HIGH
CWE-521Weak Password Requirements MEDIUM
CWE-613Insufficient Session Expiration MEDIUM
CWE-640Weak Password Recovery HIGH
Scan for missing authentication in feathersjs Free API security scan

Frequently Asked Questions

How does missing authentication in FeathersJS with JWT tokens lead to BOLA/IDOR vulnerabilities?
When authentication hooks are omitted or inconsistently applied, endpoints that should enforce ownership checks become accessible without proof of identity. Attackers can iterate over resource IDs (e.g., /users/123, /users/124) because the service does not verify that the requester matches the resource owner, enabling IDOR.
Can relying solely on JWT validation in FeathersJS prevent all authentication-related issues?
No. JWT validation must be applied to every service and method, and tokens must be properly validated (issuer, audience, expiration). Even with valid tokens, missing or incorrect authorization logic in hooks can allow horizontal or vertical privilege escalation.

Related Pages

Missing Authentication in FeathersjsLearn how missing authentication vulnerabilities manifest in Feathersjs applications and how to detect and remediate theMissing Authentication with Jwt TokensLearn how missing authentication manifests in JWT tokens through weak validation, token leakage, and improper storage. DMissing Authentication in Feathersjs on AwsmiddleBrick scans FeathersJS APIs integrated with AWS for missing authentication, provides severity-ranked findings, andMissing Authentication in Feathersjs on AzureLearn how missing authentication in FeathersJS combined with Azure AD misconfigurations creates vulnerabilities, and appMissing Authentication in Feathersjs on DockerHow missing authentication in FeathersJS running in Docker creates risks and how to remediate with hooks, Dockerfile, anMissing Authentication in Feathersjs on DigitaloceanUnderstand and fix Missing Authentication in FeathersJS on Digitalocean with concrete hooks and examples.Owasp Api Top 10: Missing Authentication in FeathersjsExplore OWASP API Top 10 Missing Authentication in FeathersJS, with remediation code examples and hooks guidance.Hipaa: Missing Authentication in FeathersjsExplore HIPAA compliance risks when Feathersjs services lack authentication, and apply concrete hooks and authenticationGdpr: Missing Authentication in FeathersjsExplore GDPR risks tied to missing authentication in FeathersJS APIs, with concrete hooks and code examples to enforce aNist: Missing Authentication in FeathersjsmiddleBrick scans Feathersjs APIs for Missing Authentication, mapping findings to NIST controls with remediation guidancMissing Authentication in Feathersjs with DynamodbLearn how missing authentication in Feathersjs with Dynamodb creates BOLA/IDOR risks and how to remediate with hooks andMissing Authentication in Feathersjs with CockroachdbDetect and remediate missing authentication in FeathersJS with CockroachDB. Real code hooks, RBAC, and secure connection