GuardAPI Logo
GuardAPI

Fix JWT Vulnerabilities (Weak Signing, None Algo) in Hanami

JWT implementations in Hanami applications often fall victim to authentication bypasses due to insecure defaults in the ruby-jwt gem. The most critical flaws involve the 'none' algorithm—allowing attackers to forge tokens by omitting signatures—and weak HMAC secrets susceptible to brute-forcing. Hardening Hanami requires strict algorithm whitelisting and robust secret management.

The Vulnerable Pattern

module Web
  module Actions
    class Profile < Web::Action
      def handle(req, res)
        token = req.env['HTTP_AUTHORIZATION']&.split(' ')&.last
        # VULNERABLE: Verification is disabled or algorithm is not enforced.
        # An attacker can set 'alg': 'none' in the header to bypass auth.
        payload, _header = JWT.decode(token, 'static_secret_key', false)
        res.body = "User ID: #{payload['user_id']}"
      end
    end
  end
end

The Secure Implementation

The exploit occurs when JWT.decode is called without a strict algorithm whitelist or when verification is explicitly set to false. Attackers manipulate the JWT header to 'alg':'none', which some libraries interpret as a valid, unsigned token. To fix: 1. Always set the third argument of JWT.decode to 'true'. 2. Pass a hash specifying 'algorithm' (e.g., 'HS256' or 'RS256') to prevent algorithm switching attacks. 3. Replace hardcoded secrets with high-entropy keys stored in Hanami's settings or environment variables to prevent offline cracking.

module Web
  module Actions
    class Profile < Web::Action
      def handle(req, res)
        token = req.env['HTTP_AUTHORIZATION']&.split(' ')&.last
        # SECURE: Enforce verification, whitelist HS256, and use env-based secrets.
        # Use Hanami.app.settings for centralized config management.
        secret = Hanami.app.settings.jwt_secret
        options = { algorithm: 'HS256', verify_iat: true }

    begin
      payload, _header = JWT.decode(token, secret, true, options)
      res.body = "User ID: #{payload['user_id']}"
    rescue JWT::DecodeError => e
      res.status = 401
      res.body = 'Invalid Token'
    end
  end
end


end
end

System Alert • ID: 1338
Target: Hanami API
Potential Vulnerability

Your Hanami API might be exposed to JWT Vulnerabilities (Weak Signing, None Algo)

74% of Hanami apps fail this check. Hackers use automated scanners to find this specific flaw. Check your codebase before they do.

RUN FREE SECURITY DIAGNOSTIC
GuardLabs Engine: ONLINE

Free Tier • No Credit Card • Instant Report

Verified by Ghost Labs Security Team

This content is continuously validated by our automated security engine and reviewed by our research team. Ghost Labs analyzes over 500+ vulnerability patterns across 40+ frameworks to provide up-to-date remediation strategies.

About GuardLabs → Follow us on X