Business Information Leak - JWT - Elixir

Need

Prevent leakage of sensitive business information through JWTs

Context

Usage of Elixir (1.12.0 and above) for building scalable and fault-tolerant applications
Usage of Guardian for authentication and authorization

Description

Non compliant code

        defmodule MyApp.Guardian do
  use Guardian, otp_app: :my_app

  def subject_for_token(user, _claims) do
    {:ok, "User:#{user.id}"}
  end

  def resource_from_claims(claims) do
    {:ok, %{username: claims["sub"], password: claims["password"]}}
  end
end

The code generates JWTs with sensitive user information like the username and password. An attacker obtaining the JWT can decode it to access this sensitive information.

Steps

Remove sensitive information from the JWT.
Handle sensitive information on the server side and not include it in JWTs.

Compliant code

        defmodule MyApp.Guardian do
  use Guardian, otp_app: :my_app

  def subject_for_token(user, _claims) do
    {:ok, "User:#{user.id}"}
  end

  def resource_from_claims(claims) do
    {:ok, %{user_id: claims["sub"]}}
  end
end

The code generates JWTs with just the user ID, and not other sensitive information like the username and password. Thus, even if an attacker obtains the JWT, they can't access sensitive business information.

References

213. Business information leak - JWT