Type Confusion in Feathersjs with Jwt Tokens
Type Confusion in Feathersjs with Jwt Tokens — how this specific combination creates or exposes the vulnerability
Type confusion in a Feathersjs application that uses JWT tokens occurs when an API endpoint trusts a token payload field to determine runtime behavior or object types without strict validation. Because Feathersjs often relies on JWT payload claims (such as roles, permissions, or user identifiers) to make authorization decisions, inconsistent or implicit type handling can lead to insecure object creation or method dispatch. Attackers can supply a token with a mismatched type for a claim—such as a numeric ID provided as a string when the server code expects an integer, or a role field supplied as an object instead of a string—causing the application to misinterpret the value and bypass intended access controls.
Consider a Feathers service that uses a JWT payload to decide whether a user can perform administrative actions. If the server code performs a loose equality check or relies on truthy/coercion behavior, an attacker can supply a token like {"role": 123} or {"role": {"name": "admin"}} and the application may incorrectly treat the claim as valid. This misalignment between the expected type (string) and the provided type (integer or object) is a classic type confusion pattern. Because JWTs are often accepted without re-verifying strict schema conformance beyond signature validation, the server may act on the confused value, leading to privilege escalation or unauthorized data access.
In Feathers, this can intersect with BOLA/IDOR if the token contains a user identifier that is used to look up resources without confirming that the identifier type matches the expected format. For example, a route like /users/:id may extract params.user.id from the JWT and pass it directly to a service call. If the token provides id as a string when the service expects a number, or vice versa, the service may resolve a different resource than intended. The interaction between permissive type coercion and JWT-based routing parameters increases the likelihood of insecure direct object references. MiddleBrick detects such inconsistencies by cross-referencing OpenAPI/Swagger type definitions with runtime behavior, highlighting where JWT claims are used in routing or business logic without strict type enforcement.
Additionally, type confusion can manifest in how Feathers hooks and middleware interpret JWT metadata. If a hook assumes a claim is an array of scopes but receives a comma-separated string or an object, the authorization logic may incorrectly grant broader permissions. Unauthenticated LLM endpoint detection and active prompt injection testing offered by MiddleBrick can further surface cases where AI-assisted integrations inadvertently propagate malformed token interpretations across services. Overall, preventing type confusion with JWT tokens in Feathers requires strict schema validation, explicit type checks, and runtime assertions for every claim used in security-sensitive decisions.
Jwt Tokens-Specific Remediation in Feathersjs — concrete code fixes
Remediation focuses on enforcing strict types and schemas for every JWT claim used in Feathersjs services. Below are concrete, working code examples that demonstrate secure handling of JWT tokens.
1. Validate JWT payload types using a schema validator (e.g., Joi) before creating or updating resources:
const Joi = require('joi');
const userTokenPayloadSchema = Joi.object({
sub: Joi.string().required(),
role: Joi.string().valid('user', 'admin').required(),
permissions: Joi.array().items(Joi.string()).optional(),
id: Joi.number().integer().positive().required()
}).required();
app.use('/api/secure', {
before: {
all: [async context => {
const token = context.params.headers.authorization?.replace('Bearer ', '');
if (!token) { throw new Error('Unauthorized'); }
const decoded = verifyToken(token, publicKey);
const { error, value } = userTokenPayloadSchema.validate(decoded);
if (error) { throw new Error('Invalid token payload'); }
context.params.user = value;
}]
}
});
2. Use strict equality checks and explicit type guards in custom hooks or service methods instead of relying on truthy/coerced values:
// In a hook or service method
if (typeof context.params.user.role !== 'string') {
throw new Error('Invalid role type');
}
if (!['user', 'admin'].includes(context.params.user.role)) {
throw new Error('Unauthorized role');
}
3. Enforce numeric IDs from JWT payloads when used in route parameters by validating route parameters separately:
app.service('users').hooks({
before: {
get: [async context => {
const id = context.id;
if (typeof id !== 'string' || isNaN(Number(id))) {
throw new Error('Invalid user ID type');
}
const numericId = Number(id);
if (!Number.isInteger(numericId) || numericId <= 0) {
throw new Error('Invalid user ID value');
}
context.params.userId = numericId;
}]
}
});
4. Configure MiddleBrick scans to monitor JWT usage patterns and detect inconsistencies between declared OpenAPI types and runtime token handling. The CLI tool can be used in scripts to validate configurations:
# Scan an API and output JSON for automated review
middlebrick scan https://api.example.com/openapi.json --format json
These examples ensure that Feathersjs applications treat JWT claims with explicit types, preventing type confusion that could lead to privilege escalation or IDOR. Pairing runtime validation with continuous scanning helps maintain secure token handling across updates.
Related CWEs: inputValidation
| CWE ID | Name | Severity |
|---|---|---|
| CWE-20 | Improper Input Validation | HIGH |
| CWE-22 | Path Traversal | HIGH |
| CWE-74 | Injection | CRITICAL |
| CWE-77 | Command Injection | CRITICAL |
| CWE-78 | OS Command Injection | CRITICAL |
| CWE-79 | Cross-site Scripting (XSS) | HIGH |
| CWE-89 | SQL Injection | CRITICAL |
| CWE-90 | LDAP Injection | HIGH |
| CWE-91 | XML Injection | HIGH |
| CWE-94 | Code Injection | CRITICAL |