Fix JWT Vulnerabilities (Weak Signing, None Algo) in Camping

Listen up. If you're rolling JWTs in a Camping app, you're likely wide open to algorithm confusion or 'none' type exploits. Most devs treat JWT.decode like a magic box, but without explicit algorithm enforcement, an attacker can just flip the header to 'none' and bypass your entire auth logic. Here's how to lock it down.

The Vulnerable Pattern

module CampingApp
  def authenticate(token)
    # VULNERABLE: Hardcoded weak secret and no algorithm enforcement
    secret = 'secret123'
# DANGER: Passing false or omitting the algorithm check allows 'none' alg
decoded = JWT.decode(token, secret, false)
@user = User.find(decoded[0]['user_id'])
end
end

The Secure Implementation

The vulnerability exists because the ruby-jwt library, if not explicitly told otherwise, may allow the 'none' algorithm which bypasses signature verification entirely. An attacker can modify their JWT header to {"alg":"none"} and provide any payload they want. To fix this, you must: 1. Set the 'verify' parameter to true. 2. Pass a hash of options that explicitly whitelists the allowed algorithm (e.g., HS256). 3. Replace weak, hardcoded strings with cryptographically strong keys stored in environment variables to prevent brute-force signature forging.

module CampingApp
  def authenticate(token)
    # SECURE: Load high-entropy secret from environment
    secret = ENV['JWT_SECRET_KEY']
    raise "Missing JWT_SECRET_KEY" if secret.nil? || secret.length < 32
# SECURE: Explicitly enforce HS256 and enable verification
options = { algorithm: 'HS256', verify_iat: true }

begin
  decoded = JWT.decode(token, secret, true, options)
  @user = User.find(decoded[0]['user_id'])
rescue JWT::DecodeError => e
  # Log error and reject request
  puts "JWT Auth Failed: #{e.message}"
  @user = nil
  halt 401, "Unauthorized"
end
end
end