GuardAPI Logo
GuardAPI
GuardAPI Logo GuardAPI
System Status
Operational

Fix JWT Vulnerabilities (Weak Signing, None Algo) in AdonisJS

JWT implementations in AdonisJS often fail due to a lack of algorithm enforcement and the use of low-entropy secrets. Attackers can exploit the 'none' algorithm bypass to forge identities or brute-force weak HMAC keys. As a Senior AppSec Researcher, I see this repeatedly: developers trust the 'alg' header provided by the client. Don't. You must whitelist your algorithms and treat your secrets as cryptographically significant.

The Vulnerable Pattern

// VULNERABLE: Custom JWT logic allowing 'none' and weak secrets
import jwt from 'jsonwebtoken'

export default class AuthController {
async login({ request, response }) {
const token = request.header(‘authorization’).split(’ ’)[1]


// FAIL: jwt.decode() doesn't verify the signature
const decoded = jwt.decode(token)

// FAIL: No algorithm whitelist. Attacker can change alg to 'none'
// FAIL: Hardcoded weak secret
const verified = jwt.verify(token, 'my-secret-123') 

return verified


}
}

The Secure Implementation

The vulnerability lies in the 'jsonwebtoken' library's default behavior if not restricted. By omitting the 'algorithms' array in the verify function, an attacker can modify the JWT header to {'alg': 'none'}, remove the signature, and the server will accept it as valid. The secure implementation fixes this by explicitly whitelisting 'HS256'. Furthermore, utilizing AdonisJS Env.get('JWT_SECRET') ensures that secrets are managed outside of source control and can be set to high-entropy strings (e.g., 64-character hex) to prevent offline cracking.

// SECURE: Enforced algorithms and high-entropy secrets via Env
import jwt from 'jsonwebtoken'
import Env from '@ioc:Adonis/Core/Env'

export default class AuthController {
async login({ request, response }) {
const authHeader = request.header(‘authorization’)
if (!authHeader) return response.unauthorized()


const token = authHeader.replace('Bearer ', '')

try {
  // SUCCESS: Explicitly whitelist algorithms (HS256)
  // SUCCESS: Secret loaded from Env (must be 256-bit+)
  const payload = jwt.verify(token, Env.get('JWT_SECRET'), {
    algorithms: ['HS256'],
    issuer: 'my-adonis-app',
    complete: false
  })
  
  return payload
} catch (error) {
  return response.badRequest('Invalid or expired token')
}


}
}

System Alert • ID: 6117
Target: AdonisJS API
Potential Vulnerability

Your AdonisJS API might be exposed to JWT Vulnerabilities (Weak Signing, None Algo)

74% of AdonisJS apps fail this check. Hackers use automated scanners to find this specific flaw. Check your codebase before they do.

RUN FREE SECURITY DIAGNOSTIC
GuardLabs Engine: ONLINE

Free Tier • No Credit Card • Instant Report

Verified by Ghost Labs Security Team

This content is continuously validated by our automated security engine and reviewed by our research team. Ghost Labs analyzes over 500+ vulnerability patterns across 40+ frameworks to provide up-to-date remediation strategies.

About GuardLabs → Follow us on X