Insecurely Generated Token - Validation - Elixir

Insecurely Generated Token - Validation - Elixir

Need

To prevent unauthorized user creation and protect the integrity of user data

Context

  • Usage of Elixir 1.12 for building scalable and fault-tolerant applications
  • Usage of Phoenix Framework 1.6 for web development
  • Usage of Guardian 2.0 for authentication and authorization

Description

Non compliant code

        defmodule InsecureToken do
  alias Guardian.JWT

  def decode_and_verify(token) do
    {:ok, claims} = JWT.decode_and_verify(token)
    IO.inspect(claims)
  end
end
        
        

In this code snippet, a JWT token is decoded without verifying its signature, thus allowing tampering. An attacker can modify the token header, to change the algorithm used for signature and create users without the token being properly validated.

Steps

  • Ensure that the JWT token signature is properly validated before decoding
  • Use a known and secure algorithm for token encryption
  • Consider using a library like Guardian for Elixir that provides secure handling of JWT tokens

Compliant code

        defmodule SecureToken do
  alias Guardian.JWT
  @secret_key "Your secret key"

  def decode_and_verify(token) do
    {:ok, claims} = JWT.decode_and_verify(token, key: @secret_key)
    IO.inspect(claims)
  end
end
        
        

In the secure version of the code, the token is decoded and verified with a predefined secret key. This ensures the token's integrity and authenticity, thus preventing the creation of unauthorized users.

References