Business Information Leak - JWT
Need
Prevent leakage of sensitive business information through JWTs
Context
- Usage of Elixir (1.12.0 and above) for building scalable and fault-tolerant applications
- Usage of Guardian for authentication and authorization
Description
Non compliant code
defmodule MyApp.Guardian do
use Guardian, otp_app: :my_app
def subject_for_token(user, _claims) do
{:ok, "User:#{user.id}"}
end
def resource_from_claims(claims) do
{:ok, %{username: claims["sub"], password: claims["password"]}}
end
end
The code generates JWTs with sensitive user information like the username and password. An attacker obtaining the JWT can decode it to access this sensitive information.
Steps
- Remove sensitive information from the JWT.
- Handle sensitive information on the server side and not include it in JWTs.
Compliant code
defmodule MyApp.Guardian do
use Guardian, otp_app: :my_app
def subject_for_token(user, _claims) do
{:ok, "User:#{user.id}"}
end
def resource_from_claims(claims) do
{:ok, %{user_id: claims["sub"]}}
end
end
The code generates JWTs with just the user ID, and not other sensitive information like the username and password. Thus, even if an attacker obtains the JWT, they can't access sensitive business information.