GuardAPI Logo
GuardAPI

Fix JWT Vulnerabilities (Weak Signing, None Algo) in Feathers

FeathersJS relies on the @feathersjs/authentication-jwt package, which abstracts the underlying jsonwebtoken library. Vulnerabilities arise when developers use default/weak secrets or fail to restrict allowed algorithms, permitting 'none' algorithm attacks or RS256-to-HS256 key confusion. As a researcher, your goal is to enforce cryptographic integrity by hardening the configuration and explicitly whitelisting algorithms.

The Vulnerable Pattern

{
  "authentication": {
    "secret": "my-weak-secret-123",
    "authStrategies": ["jwt"],
    "jwtOptions": {
      "header": { "typ": "access" },
      "audience": "https://example.com",
      "issuer": "feathers",
      "expiresIn": "1d"
    }
  }
}

The Secure Implementation

The vulnerable configuration uses a hardcoded, weak secret and fails to specify an algorithm, which might allow the library to default to 'none' or be susceptible to algorithm switching. The secure implementation does three things: 1. Sources the secret/private key from environment variables. 2. Switches to RS256 (asymmetric) to prevent HMAC key confusion. 3. Overrides the JWTStrategy to explicitly pass an 'algorithms' whitelist to the underlying verifyJWT call, ensuring that tokens using 'none' or 'HS256' are rejected regardless of the header provided by the attacker.

// config/production.json
{
  "authentication": {
    "secret": "process.env.JWT_SECRET",
    "jwtOptions": {
      "header": { "typ": "access" },
      "audience": "https://example.com",
      "issuer": "feathers",
      "algorithm": "RS256",
      "expiresIn": "1h"
    }
  }
}

// src/authentication.js modification
const { JWTStrategy } = require(‘@feathersjs/authentication’);


class SecureJWTStrategy extends JWTStrategy {
async verifyConfiguration() {
const allowedAlgorithms = [‘RS256’];
if (!allowedAlgorithms.includes(this.configuration.jwtOptions.algorithm)) {
throw new Error(‘Insecure algorithm detected’);
}
}


async authenticate(authentication, params) {
const { accessToken } = authentication;
// Explicitly pass allowed algorithms to the verify call
const payload = await this.authentication.verifyJWT(accessToken, {
algorithms: [‘RS256’]
});
return { accessToken, authentication: { strategy: ‘jwt’, payload } };
}
}

System Alert • ID: 6091
Target: Feathers API
Potential Vulnerability

Your Feathers API might be exposed to JWT Vulnerabilities (Weak Signing, None Algo)

74% of Feathers apps fail this check. Hackers use automated scanners to find this specific flaw. Check your codebase before they do.

RUN FREE SECURITY DIAGNOSTIC
GuardLabs Engine: ONLINE

Free Tier • No Credit Card • Instant Report

Verified by Ghost Labs Security Team

This content is continuously validated by our automated security engine and reviewed by our research team. Ghost Labs analyzes over 500+ vulnerability patterns across 40+ frameworks to provide up-to-date remediation strategies.

About GuardLabs → Follow us on X