Fix JWT Vulnerabilities (Weak Signing, None Algo) in Laravel

JWT implementations in Laravel, particularly when using custom wrappers or older versions of lcobucci/jwt, often suffer from 'none' algorithm exploits and weak HMAC secrets. If your backend doesn't explicitly whitelist the expected signing algorithm, an attacker can flip the 'alg' header to 'none' or use a public key to sign a symmetric HS256 token. This guide hardens the implementation against these specific bypasses.

The Vulnerable Pattern

// VULNERABLE: Accepting any algorithm and skipping verification
$token = (new Parser())->parse($jwtToken);
$userId = $token->getClaim('sub'); // No verification performed!
// OR: Using a weak secret
‘secret’ => ‘123456’,
‘algo’ => ‘HS256’,

The Secure Implementation

The fix involves three critical layers: 1. Algorithm Whitelisting: By using Configuration::forSymmetricSigner with a specific instance of Sha256, we force the library to ignore any 'alg' header in the JWT that isn't HS256, neutralizing the 'none' attack. 2. Mandatory Verification: We move from simply parsing the string to executing a validation pass with the SignedWith constraint. 3. Entropy: Ensure JWT_SECRET in .env is a high-entropy 256-bit string generated via 'openssl rand -base64 32' to prevent offline brute-forcing of the HMAC signature.

// SECURE: Enforce Signer and Verify Signature
use Lcobucci\JWT\Configuration;
use Lcobucci\JWT\Signer\Hmac\Sha256;
use Lcobucci\JWT\Signer\Key\InMemory;
use Lcobucci\JWT\Validation\Constraint\SignedWith;
$config = Configuration::forSymmetricSigner(
new Sha256(),
InMemory::plainText(config(‘auth.jwt_secret’))
);
$token = $config->parser()->parse($jwtToken);
// Explicitly validate the signature using the defined signer
$constraints = [new SignedWith($config->signer(), $config->signingKey())];
if (!$config->validator()->validate($token, …$constraints)) {
throw new UnauthenticatedException(‘Invalid token signature’);
}
$userId = $token->claims()->get(‘sub’);