Fix Broken User Authentication in Feathers

FeathersJS simplifies real-time APIs, but default configurations often leave the front door wide open. Broken User Authentication in Feathers typically manifests as leaking password hashes in JSON responses or failing to enforce JWT validation on service methods. If you aren't explicitly stripping sensitive fields in your hooks, you're handing over your database's crown jewels to any script kiddie with a proxy.

The Vulnerable Pattern

const { User } = require('./users.class');
module.exports = function (app) {
app.use(‘/users’, new User());
// VULNERABILITY: No password hashing and no field protection
app.service(‘users’).hooks({
before: {
create: []
},
after: {
all: []
}
});
};

The Secure Implementation

To fix broken auth, you must implement a multi-layered hook strategy. First, the 'hashPassword' hook ensures credentials are encrypted before storage. Second, and most critically, the 'protect' hook must be applied to the 'after' stage of all service methods; this prevents the 'password' field from being serialized in the JSON response. Finally, 'authenticate('jwt')' must be explicitly declared on all restricted service methods to prevent unauthorized access to the User service or sensitive data objects.

const { authenticate } = require('@feathersjs/authentication').hooks;
const { hashPassword, protect } = require('@feathersjs/authentication-local').hooks;
module.exports = {
before: {
all: [],
find: [authenticate(‘jwt’)],
get: [authenticate(‘jwt’)],
create: [hashPassword(‘password’)],
update: [hashPassword(‘password’), authenticate(‘jwt’)],
patch: [hashPassword(‘password’), authenticate(‘jwt’)],
remove: [authenticate(‘jwt’)]
},
after: {
all: [
protect(‘password’)
]
}
};