Fix JWT Vulnerabilities (Weak Signing, None Algo) in AdonisJS
JWT implementations in AdonisJS often fail due to a lack of algorithm enforcement and the use of low-entropy secrets. Attackers can exploit the 'none' algorithm bypass to forge identities or brute-force weak HMAC keys. As a Senior AppSec Researcher, I see this repeatedly: developers trust the 'alg' header provided by the client. Don't. You must whitelist your algorithms and treat your secrets as cryptographically significant.
The Vulnerable Pattern
// VULNERABLE: Custom JWT logic allowing 'none' and weak secrets import jwt from 'jsonwebtoken'export default class AuthController { async login({ request, response }) { const token = request.header(‘authorization’).split(’ ’)[1]
// FAIL: jwt.decode() doesn't verify the signature const decoded = jwt.decode(token) // FAIL: No algorithm whitelist. Attacker can change alg to 'none' // FAIL: Hardcoded weak secret const verified = jwt.verify(token, 'my-secret-123') return verified
} }
The Secure Implementation
The vulnerability lies in the 'jsonwebtoken' library's default behavior if not restricted. By omitting the 'algorithms' array in the verify function, an attacker can modify the JWT header to {'alg': 'none'}, remove the signature, and the server will accept it as valid. The secure implementation fixes this by explicitly whitelisting 'HS256'. Furthermore, utilizing AdonisJS Env.get('JWT_SECRET') ensures that secrets are managed outside of source control and can be set to high-entropy strings (e.g., 64-character hex) to prevent offline cracking.
// SECURE: Enforced algorithms and high-entropy secrets via Env import jwt from 'jsonwebtoken' import Env from '@ioc:Adonis/Core/Env'export default class AuthController { async login({ request, response }) { const authHeader = request.header(‘authorization’) if (!authHeader) return response.unauthorized()
const token = authHeader.replace('Bearer ', '') try { // SUCCESS: Explicitly whitelist algorithms (HS256) // SUCCESS: Secret loaded from Env (must be 256-bit+) const payload = jwt.verify(token, Env.get('JWT_SECRET'), { algorithms: ['HS256'], issuer: 'my-adonis-app', complete: false }) return payload } catch (error) { return response.badRequest('Invalid or expired token') }
} }
Protect your AdonisJS API
Don't rely on manual checks. GuardAPI's Gemini 3 Pro engine detects JWT Vulnerabilities (Weak Signing, None Algo) and logic flaws in seconds.
Run Automated AuditVerified by Ghost Labs Security Team
This content is continuously validated by our automated security engine and reviewed by our research team. Ghost Labs analyzes over 500+ vulnerability patterns across 40+ frameworks to provide up-to-date remediation strategies.