Skip to content

Latest commit

 

History

History
147 lines (109 loc) · 9.53 KB

mitigations.md

File metadata and controls

147 lines (109 loc) · 9.53 KB

Mitigation Strategies Analysis for tymondesigns/jwt-auth

Mitigation Strategy: Strong Secret and Explicit Algorithm Configuration

  • Description:

    1. Strong Secret: Use the php artisan jwt:secret command to generate a cryptographically secure random JWT_SECRET. Verify the generated key's length (at least 64 characters) and randomness.
    2. Explicit Algorithm: In config/jwt.php, explicitly set the algo key to the desired signing algorithm (e.g., 'RS256' or 'HS256'). Do not rely on the library's default.

  • Threats Mitigated:

    • JWT Secret Key Compromise: (Severity: Critical) - A strong secret makes it computationally infeasible to forge signatures.
    • Algorithm Confusion/Downgrade Attacks: (Severity: High) - Explicitly setting the algorithm prevents attackers from forcing the use of a weaker algorithm.

  • Impact:

    • JWT Secret Key Compromise: Risk significantly reduced (though secure storage and rotation are still crucial).
    • Algorithm Confusion/Downgrade Attacks: Risk significantly reduced.

  • Currently Implemented:

    • Strong Secret Generation: Partially implemented - php artisan jwt:secret is used, but key length/randomness verification is in App\Providers\AppServiceProvider.
    • Explicit Algorithm Configuration: Implemented - algo is set in config/jwt.php.

  • Missing Implementation:

    • None, assuming the secret is strong and the algorithm is correctly configured.

Mitigation Strategy: Short-Lived Tokens and Refresh Token Usage

  • Description:

    1. Short ttl: In config/jwt.php, set the ttl (time to live) to a short value (e.g., 15-60 minutes). This limits the lifespan of access tokens.
    2. Refresh Token Implementation: Utilize tymondesigns/jwt-auth's built-in refresh token functionality. This involves:
      • Using JWTAuth::refresh() to obtain a new access token using a valid refresh token.
      • Configuring the refresh token's time-to-live (refresh_ttl in config/jwt.php).

  • Threats Mitigated:

    • Token Replay Attacks: (Severity: High) - Short ttl reduces the window for replay.
    • Token Compromise: (Severity: High) - Limits the damage if an access token is stolen.

  • Impact:

    • Token Replay Attacks: Risk significantly reduced.
    • Token Compromise: Impact significantly reduced.

  • Currently Implemented:

    • Short ttl: Partially implemented - ttl is set, but could be shorter.
    • Refresh Token Implementation: Partially implemented - Refresh tokens are used, but not one-time use (one-time use is outside the direct scope of the library).

  • Missing Implementation:

    • ttl Optimization: Requires careful consideration of user experience and security trade-offs.

Mitigation Strategy: JWT ID (jti) Claim and Library's Blacklist (Cache-Based)

  • Description:

    1. jti Claim: Ensure that each issued JWT includes a unique jti (JWT ID) claim. tymondesigns/jwt-auth does this automatically.
    2. Library's Blacklist (Cache): Utilize the library's built-in, cache-based blacklist. This is the default behavior. When you invalidate a token (e.g., on logout), use JWTAuth::invalidate($token). This adds the jti to the cache. The library automatically checks the cache during token validation.

  • Threats Mitigated:

    • Token Replay Attacks: (Severity: High) - Prevents reuse of invalidated tokens (within the cache's limitations).
    • Token Compromise: (Severity: High) - Allows invalidation of compromised tokens (within the cache's limitations).

  • Impact:

    • Token Replay Attacks: Risk reduced, but the cache-based blacklist has limitations (see below).
    • Token Compromise: Impact reduced, but the cache-based blacklist has limitations.

  • Currently Implemented:

    • jti Claim: Implemented - Automatic by the library.
    • Library's Blacklist (Cache): Likely implemented (default behavior), but needs verification.

  • Missing Implementation:

    • Verification of Blacklist Usage: Ensure JWTAuth::invalidate($token) is being called correctly on logout and other invalidation events. The limitations of the cache-based blacklist (not persistent across server restarts or multiple instances) are important to understand. A database-backed blacklist is better but outside the scope of this focused list.

Mitigation Strategy: Secure Payload Handling (within Library Usage)

  • Description:

    1. Signature Verification: Always use JWTAuth::parseToken()->authenticate() (or equivalent methods like JWTAuth::attempt()) to validate the token's signature before accessing any data from the payload. This is the intended and correct way to use the library.
    2. Avoid Sensitive Data: Do not store sensitive data directly in the JWT payload.

  • Threats Mitigated:

    • Token Tampering (Payload Modification): (Severity: High) - Signature verification prevents unauthorized modification.

  • Impact:

    • Token Tampering: Risk reduced to near zero with correct library usage.

  • Currently Implemented:

    • Signature Verification: Implemented - Standard library usage.
    • Avoid Sensitive Data: Partially Implemented - Review payload.

  • Missing Implementation:

    • Payload Review: Requires a thorough review of the data currently included in the JWT payload.

Mitigation Strategy: Generic Error Messages (with Library Exceptions)

  • Description:

    1. Custom Exception Handling: Wrap calls to JWTAuth methods (e.g., parseToken, authenticate, refresh) in try-catch blocks. Specifically, catch exceptions of type Tymon\JWTAuth\Exceptions\JWTException and its subclasses (e.g., TokenExpiredException, TokenInvalidException).
    2. Generic Responses: In the catch block, do not return the specific exception message from the library to the client. Return a generic error message (e.g., "Unauthorized", "Invalid token") and an appropriate HTTP status code (e.g., 401).

  • Threats Mitigated:

    • Information Disclosure: (Severity: Medium) - Prevents attackers from gaining insights into the JWT validation process.

  • Impact:

    • Information Disclosure: Risk significantly reduced.

  • Currently Implemented:

    • Custom Exception Handling: Partially implemented - Some exception handling exists, but needs review for consistency and specific JWTException types.
    • Generic Responses: Partially implemented - Needs consistent application.

  • Missing Implementation:

    • Consistent Exception Handling and Generic Responses: Requires a review of all JWT-related code.

Mitigation Strategy: Standard Claims Validation (within Library Usage)

  • Description:

    1. iat (Issued At) Claim: tymondesigns/jwt-auth automatically includes and validates iat.
    2. exp (Expiration Time) Claim: tymondesigns/jwt-auth automatically includes and validates exp based on the configured ttl.
    3. nbf (Not Before) Claim: If you use nbf, tymondesigns/jwt-auth will validate it. You would set this when creating the token if needed.
    4. aud (Audience) Claim: While the library doesn't enforce aud validation, you can easily add it.
      • When creating the token, include the aud claim: $token = JWTAuth::claims(['aud' => 'your-audience'])->attempt($credentials);
      • After retrieving the payload (but before full authentication), check the aud claim: 
        try {
    $payload = JWTAuth::getPayload($token); // Get payload *without* full validation
    if ($payload['aud'] !== 'your-audience') {
        // Handle invalid audience
        return response()->json(['error' => 'Invalid audience'], 401);
    }
    $user = JWTAuth::parseToken()->authenticate(); // Now do full validation
} catch (JWTException $e) {
    // Handle other JWT exceptions
    return response()->json(['error' => 'Invalid token'], 401);
}

  • Threats Mitigated:

    • Token Misuse: (Severity: Medium) - aud prevents tokens intended for one application from being used in another.
    • Token Replay (with iat, exp and nbf): (Severity: Medium)

  • Impact:

    • Token Misuse: Risk significantly reduced if aud is properly implemented.
    • Token Replay: Risk slightly reduced.

  • Currently Implemented:

    • iat Claim: Implemented (automatic).
    • exp Claim: Implemented (automatic).
    • nbf Claim: Not implemented (but supported if used).
    • aud Claim: Not implemented.

  • Missing Implementation:

    • aud Claim: Requires adding the claim when creating tokens and adding the validation check shown above.
    • nbf Claim: Only if you need to issue tokens that are not valid until a future time.