Skip to content

🐞 Recipe: auth-jwt - Ineffective implementation due to various bugs #2868

New issue
New issue
Open
Open
🐞 Recipe: auth-jwt - Ineffective implementation due to various bugs#2868
Labels
wontfixThis will not be worked on☢️ BugSomething isn't working👍 Accepting PR
@djames-bloom

Description

@djames-bloom
djames-bloom
opened on Mar 22, 2025

Fiber version/commit
v2

Issue description

This recipe has a number of issues that are at best broken and teach bad practices; at worst are dangerous for users to follow as an implementation guide.

I believe this recipe should be recreated to follow standards, have clear documentation, and act securely.

  • The documentation for this recipe is incorrect and unsafely implements the JWT middleware causing it to be susceptible to hijacking/spoofing.

  • The user GET method is not protected, as is mentioned in the documentation, leading to being able to view other users' PII.

  • Tokens are not invalidated after account deletion, allowing a user to continue accessing the API after deleting their account.

  • It additionally does not follow best practice standards for error checking or using magic numbers when constants are available in Go core.

e.g.

return c.Status(500).JSON(fiber.Map{"status": "error", "message": "Not valid user", "data": nil})

vs

return c.Status(fiber.StatusUnauthorized).JSON(fiber.Map{"status": "error", "message": "Not valid user", "data": nil})

Expected behavior

  1. Able to register by following the documentation
  2. Nil secret HS-265 JWTs should never be issued/valid
  3. Should not be able to view PII of other users
  4. JWT should be invalidated when an account is deleted
  5. Standards should be followed for error handling

Steps to reproduce

Spoofing:

  1. Follow instructions for the recipe, do not set a value for the SECRET environment variable
  2. You will not be able to create a user on the first stage
  3. Instead send the POST request to the /api/user route for it to succeed
  4. Make a second call to create a second user
  5. Call api/auth/login using the login details for the first user
  6. Manually edit the content of the token using jwt.io or similar to set "user_id": 99999
  7. Use cURL to call DELETE on route api/user/2
  8. If no secret is set, this token will be valid and user 2 will be marked as deleted

PII access:

  1. Create multiple accounts as above
  2. Attempt to access the /api/user/:id route without a JWT
  3. See that all details, including email and password hash are returned for any valid user ID

Deletion:

  1. Create an account following the above rectified steps
  2. Call the DELETE method against your user
  3. A Error 500 response will be thrown with the following body (including mismatched error codes):
{
    "data":{
        "code":422,
        "message":"Unprocessable Entity"
    },
    "message":"Review your input",
    "status":"error"
}
  1. Include the undocumented body param and content type in the request
  2. Attempt to access a protected route
  3. The response will be successful as the JWT has not been invalidated on account deletion

Metadata

Metadata

Assignees

No one assigned

    Labels

    wontfixThis will not be worked on☢️ BugSomething isn't working👍 Accepting PR

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions