DEV Community: akash The latest articles on DEV Community by akash (@akash_22). https://dev.to/akash_22 https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F648015%2F4713e2bc-83f7-433b-b43d-005b051e5995.jpg DEV Community: akash https://dev.to/akash_22 en Authentication and Authorization: A Tale of Security, Flaws, and Fixes šŸ“ā€ā˜ ļø akash Sun, 08 Dec 2024 03:02:37 +0000 https://dev.to/akash_22/authentication-and-authorization-a-tale-of-security-flaws-and-fixes-333l https://dev.to/akash_22/authentication-and-authorization-a-tale-of-security-flaws-and-fixes-333l <h2> Introduction </h2> <p>Ah, authentication and authorization ā€” the Zoro and Sanji of the web security world. While authentication ensures you're who you say you are, authorization checks if you're allowed to board the Thousand Sunny. But just like the Grand Line, the digital world is full of surprises (and flaws).</p> <p>In this blog, weā€™ll dive into the challenges of implementing these systems, the common pitfalls we encountered in a real-world application, and, of course, the pirate solutions that saved the day. Along the way, weā€™ll make sure every developer, whether fresh-faced or experienced, can follow the logic and apply it to their own projects. šŸ“ā€ā˜ ļø</p> <h2> Observations: The Flaws That Lurk in the Shadows šŸ•µļøā€ā™‚ļø </h2> <h3> 1. <strong>Weak Token Security</strong> šŸ” </h3> <ul> <li> Tokens were being generated without explicitly setting a signing algorithm. This leaves the door open for attackers to tamper with tokens.</li> <li> Avoid setting expiry times to overly long durations, like one month. Itā€™s like leaving your treasure map out for anyone to grab over an extended period.</li> </ul> <h3> 2. <strong>Session Hijacking</strong> āš” </h3> <ul> <li> Session IDs lacked randomness. Imagine handing out sequential keys to the Thousand Sunny ā€” it wouldnā€™t take long for someone to guess the next one.</li> <li> While device-specific validation was implemented, itā€™s not enough without truly random session IDs to secure each user.</li> </ul> <h3> 3. <strong>Error Handling</strong> āš ļø </h3> <ul> <li> Error messages were revealing too much information. For example, telling users ā€œInvalid passwordā€ instead of ā€œInvalid credentialsā€ helps attackers figure out whatā€™s wrong.</li> </ul> <h3> 4. <strong>Brute Force Protection</strong> āš”ļø </h3> <ul> <li> Some sensitive endpoints had rate limiting, but others were left open to repeated attack attempts. Think of it as locking your treasure chest but leaving your shipā€™s door wide open.</li> </ul> <h3> 5. <strong>Role Validation</strong> šŸŽ­ </h3> <ul> <li> Some endpoints didnā€™t consistently check user roles. If roles like ā€œcaptainā€ or ā€œfirst mateā€ werenā€™t properly validated, it could lead to unauthorized crew members taking control of the ship.</li> </ul> <h3> 6. <strong>IDOR (Insecure Direct Object Reference)</strong> šŸ•µļøā€ā™‚ļø </h3> <ul> <li> There were no checks to ensure users could only access their own data. For example, if Usopp could see Zoroā€™s bounty just by changing a URL parameter, thatā€™s a classic IDOR vulnerability.</li> </ul> <h2> Solutions: The Pirate's Toolkit šŸ¦øā€ā™‚ļø </h2> <h3> 1. <strong>Token Security</strong> šŸ”‘ </h3> <ul> <li> Always explicitly set a signing algorithm (like HS256 or RS256) when generating JWTs. This ensures tokens are secure and tamper-proof.</li> <li> Reduce the expiry time to <strong>15 minutes</strong>, and introduce refresh tokens for longer sessions. Short-lived tokens minimize the risk of misuse if a token is stolen.</li> </ul> <h4> Example Code: </h4> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="kd">const</span> <span class="nx">jwt</span> <span class="o">=</span> <span class="nf">require</span><span class="p">(</span><span class="dl">'</span><span class="s1">jsonwebtoken</span><span class="dl">'</span><span class="p">);</span> <span class="c1">// Secure token generation</span> <span class="kd">const</span> <span class="nx">token</span> <span class="o">=</span> <span class="nx">jwt</span><span class="p">.</span><span class="nf">sign</span><span class="p">(</span><span class="nx">payload</span><span class="p">,</span> <span class="nx">secretKey</span><span class="p">,</span> <span class="p">{</span> <span class="na">algorithm</span><span class="p">:</span> <span class="dl">'</span><span class="s1">HS256</span><span class="dl">'</span><span class="p">,</span> <span class="na">expiresIn</span><span class="p">:</span> <span class="dl">'</span><span class="s1">15m</span><span class="dl">'</span> <span class="p">});</span> <span class="kd">const</span> <span class="nx">refreshToken</span> <span class="o">=</span> <span class="nx">jwt</span><span class="p">.</span><span class="nf">sign</span><span class="p">(</span><span class="nx">payload</span><span class="p">,</span> <span class="nx">secretKey</span><span class="p">,</span> <span class="p">{</span> <span class="na">expiresIn</span><span class="p">:</span> <span class="dl">'</span><span class="s1">7d</span><span class="dl">'</span> <span class="p">});</span> </code></pre> </div> <h3> 2. <strong>Session Hijacking Prevention</strong> šŸ” </h3> <ul> <li> Generate truly random session IDs using libraries like <code>uuid</code>. These IDs should be impossible to predict.</li> <li> Use a caching system like Redis to validate sessions quickly, reducing database load and improving performance.</li> </ul> <h4> Example Code: </h4> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="kd">const</span> <span class="nx">storeSession</span> <span class="o">=</span> <span class="k">async </span><span class="p">(</span><span class="nx">userId</span><span class="p">,</span> <span class="nx">sessionId</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="k">await</span> <span class="nx">redisClient</span><span class="p">.</span><span class="nf">set</span><span class="p">(</span><span class="s2">`session:</span><span class="p">${</span><span class="nx">userId</span><span class="p">}</span><span class="s2">:</span><span class="p">${</span><span class="nx">sessionId</span><span class="p">}</span><span class="s2">`</span><span class="p">,</span> <span class="dl">'</span><span class="s1">valid</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">EX</span><span class="dl">'</span><span class="p">,</span> <span class="mi">1800</span><span class="p">);</span> <span class="c1">// 30 min TTL</span> <span class="p">};</span> <span class="kd">const</span> <span class="nx">validateSession</span> <span class="o">=</span> <span class="k">async </span><span class="p">(</span><span class="nx">userId</span><span class="p">,</span> <span class="nx">sessionId</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">isValid</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">redisClient</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="s2">`session:</span><span class="p">${</span><span class="nx">userId</span><span class="p">}</span><span class="s2">:</span><span class="p">${</span><span class="nx">sessionId</span><span class="p">}</span><span class="s2">`</span><span class="p">);</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">isValid</span><span class="p">)</span> <span class="k">throw</span> <span class="k">new</span> <span class="nc">Error</span><span class="p">(</span><span class="dl">'</span><span class="s1">Session invalid or expired</span><span class="dl">'</span><span class="p">);</span> <span class="p">};</span> </code></pre> </div> <h3> 3. <strong>Error Handling</strong> šŸ›‘ </h3> <ul> <li> Use generic error messages to avoid giving attackers clues about what went wrong. For example: <ul> <li> Instead of ā€œInvalid password,ā€ use ā€œInvalid credentialsā€ to make brute force attacks harder.</li> </ul> </li> </ul> <h3> 4. <strong>Brute Force Protection</strong> šŸ›”ļø </h3> <ul> <li> Apply rate limiting to <strong>all</strong> sensitive endpoints, not just login.</li> <li> Add CAPTCHA for endpoints with repeated failed requests to block automated attacks.</li> </ul> <h4> Example Code: </h4> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="kd">const</span> <span class="nx">rateLimit</span> <span class="o">=</span> <span class="nf">require</span><span class="p">(</span><span class="dl">'</span><span class="s1">express-rate-limit</span><span class="dl">'</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">limiter</span> <span class="o">=</span> <span class="nf">rateLimit</span><span class="p">({</span> <span class="na">windowMs</span><span class="p">:</span> <span class="mi">1</span> <span class="o">*</span> <span class="mi">60</span> <span class="o">*</span> <span class="mi">1000</span><span class="p">,</span> <span class="c1">// 1 minute</span> <span class="na">max</span><span class="p">:</span> <span class="mi">5</span><span class="p">,</span> <span class="c1">// limit each IP to 5 requests per windowMs</span> <span class="na">message</span><span class="p">:</span> <span class="dl">'</span><span class="s1">Too many requests, please try again later.</span><span class="dl">'</span><span class="p">,</span> <span class="p">});</span> <span class="nx">app</span><span class="p">.</span><span class="nf">use</span><span class="p">(</span><span class="dl">'</span><span class="s1">/api/auth</span><span class="dl">'</span><span class="p">,</span> <span class="nx">limiter</span><span class="p">);</span> </code></pre> </div> <h3> 5. <strong>Role Validation</strong> šŸŽ­ </h3> <ul> <li> Always check user roles before granting access to sensitive endpoints. For example, ensure only captains can access the shipā€™s command deck.</li> </ul> <h4> What is Role Validation? </h4> <p>Role validation ensures that users can only perform actions or access resources based on their assigned roles. For example:</p> <ul> <li> A regular crew member shouldnā€™t access the captainā€™s quarters.</li> <li> A quartermaster might have access to inventory but not the helm.</li> </ul> <h4> Example Code: </h4> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="kd">const</span> <span class="nx">hasRequiredRole</span> <span class="o">=</span> <span class="p">(</span><span class="nx">userRoles</span><span class="p">,</span> <span class="nx">requiredRoles</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="k">return</span> <span class="nx">requiredRoles</span><span class="p">.</span><span class="nf">some</span><span class="p">((</span><span class="nx">role</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="nx">userRoles</span><span class="p">.</span><span class="nf">includes</span><span class="p">(</span><span class="nx">role</span><span class="p">));</span> <span class="p">};</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nf">hasRequiredRole</span><span class="p">(</span><span class="nx">user</span><span class="p">.</span><span class="nx">roles</span><span class="p">,</span> <span class="p">[</span><span class="dl">'</span><span class="s1">captain</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">first mate</span><span class="dl">'</span><span class="p">]))</span> <span class="p">{</span> <span class="k">throw</span> <span class="k">new</span> <span class="nc">Error</span><span class="p">(</span><span class="dl">'</span><span class="s1">Unauthorized</span><span class="dl">'</span><span class="p">);</span> <span class="p">}</span> </code></pre> </div> <h3> 6. <strong>IDOR Prevention</strong> šŸ” </h3> <ul> <li> Validate that the requesting user owns the resource theyā€™re trying to access. This ensures users canā€™t tamper with URLs or data to access someone elseā€™s information.</li> </ul> <h4> Example Code: </h4> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="kd">const</span> <span class="nx">validateOwnership</span> <span class="o">=</span> <span class="k">async </span><span class="p">(</span><span class="nx">userId</span><span class="p">,</span> <span class="nx">resourceId</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">resource</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">db</span><span class="p">.</span><span class="nf">findById</span><span class="p">(</span><span class="nx">resourceId</span><span class="p">);</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">resource</span> <span class="o">||</span> <span class="nx">resource</span><span class="p">.</span><span class="nx">ownerId</span> <span class="o">!==</span> <span class="nx">userId</span><span class="p">)</span> <span class="p">{</span> <span class="k">throw</span> <span class="k">new</span> <span class="nc">Error</span><span class="p">(</span><span class="dl">'</span><span class="s1">Unauthorized access</span><span class="dl">'</span><span class="p">);</span> <span class="p">}</span> <span class="p">};</span> </code></pre> </div> <h2> Lessons Learned: Why This Matters šŸŽ“ </h2> <p>Building secure systems isnā€™t just about checking boxes; itā€™s about thinking like Buggy the Clown (but not becoming him). Every minor oversight is an opportunity for exploitation, and every fix is a step closer to a safer application.</p> <p>When designing security, think about all the ways an attacker might exploit the system. Always question whether the checks in place are robust enough to stop them. And donā€™t forget to involve your crew ā€” collaboration and peer reviews are essential.</p> <h2> Closing Thoughts šŸ </h2> <p>Security is a journey, not a destination. Start with the basics, iterate often, and always keep an eye on emerging threats. After all, in the world of web development, even the smallest flaw can open the gates to the Grand Lineā€™s most notorious pirates.</p> <p>Keep coding, stay secure, and maybe reward yourself with some meat on the bone like Luffy! šŸ–</p> <p><em>Happy securing!</em></p> javascript node authentication