GuardAPI Logo
GuardAPI
Automated Security Protocol

How to fix JWT Vulnerabilities (Weak Signing, None Algo)
in Phoenix

Executive Summary

JWT implementation in Elixir/Phoenix is often handled via the Joken or Guardian libraries. The most critical failure points are accepting the 'none' algorithm—allowing attackers to bypass signature verification entirely—and utilizing weak, hardcoded HMAC secrets that are susceptible to offline brute-forcing. Secure implementation requires strict algorithm enforcement and high-entropy secret management.

The Vulnerable Pattern

VULNERABLE CODE
defmodule MyAppWeb.Auth.Token do
  use Joken.Config

VULNERABILITY 1: No signer enforced, potentially allowing ‘none’ alg


def token_config, do: default_claims()


def verify_bad(token) do
# VULNERABILITY 2: peek_claims/1 returns claims without verifying the signature
case Joken.peek_claims(token) do
{:ok, claims} -> {:ok, claims}
_ -> {:error, :unauthorized}
end
end
end

The Secure Implementation

The exploit vector relies on the 'alg' header. If the backend uses 'peek_claims' or fails to provide a Signer to 'verify_and_validate', an attacker can change the header to '{"alg":"none"}' and remove the signature. To fix this in Phoenix: 1. Use Joken.Signer.create/2 to force a specific algorithm (e.g., HS256 or RS256). 2. Never use peek functions for authentication logic. 3. Ensure your JWT_SECRET is a base64 encoded string with at least 32 bytes of entropy. 4. Always use verify_and_validate/3 which checks the cryptographic signature before processing any claims.

SECURE CODE
defmodule MyAppWeb.Auth.Token do
  use Joken.Config

def token_config do
default_claims(iss: “my_app”, aud: “api”)
|> Joken.Config.add_claim(“exp”, fn -> Joken.current_time() + 3600 end)
end


def verify_secure(token) do
# SECURE: Fetching high-entropy secret from ENV
secret = System.fetch_env!(“JWT_SECRET”)
# SECURE: Explicitly defining the allowed algorithm (HS256)
signer = Joken.Signer.create(“HS256”, secret)


# SECURE: verify_and_validate/3 ensures signature AND claims are valid
Joken.verify_and_validate(token_config(), token, signer)


end
end

System Alert • ID: 4820
Target: Phoenix API
Potential Vulnerability

Your Phoenix API might be exposed to JWT Vulnerabilities (Weak Signing, None Algo)

74% of Phoenix apps fail this check. Hackers use automated scanners to find this specific flaw. Check your codebase before they do.

RUN FREE SECURITY DIAGNOSTIC
GuardLabs Engine: ONLINE

Free Tier • No Credit Card • Instant Report

Verified by Ghost Labs Security Team

This content is continuously validated by our automated security engine and reviewed by our research team. Ghost Labs analyzes over 500+ vulnerability patterns across 40+ frameworks to provide up-to-date remediation strategies.

About GuardLabs → Follow us on X