背景
在 Cloudflare Workers 中用 Hono 框架实现 JWT 认证,Code Review 发现几个常见安全问题。
问题一:JWT 验证未检查 alg 字段
[object Object], ,[object Object], ,[object Object], ,[object Object],(,[object Object],) { ,[object Object], [header, payload] = token.,[object Object],(,[object Object],).,[object Object],(atob); ,[object Object], ,[object Object], ,[object Object],.,[object Object],(payload); }
[object Object], ,[object Object], ,[object Object], ,[object Object],(,[object Object],): ,[object Object],<,[object Object], | ,[object Object],> { ,[object Object], { ,[object Object], key = ,[object Object], crypto.,[object Object],.,[object Object],( ,[object Object],, ,[object Object], ,[object Object],().,[object Object],(secret), { ,[object Object],: ,[object Object],, ,[object Object],: ,[object Object], }, ,[object Object],, [,[object Object],] ); ,[object Object], ,[object Object], payload = ,[object Object], ,[object Object],(token, key); ,[object Object], payload ,[object Object], ,[object Object],; } ,[object Object], { ,[object Object], ,[object Object],; } }
问题二:错误信息泄露用户存在性
[object Object], ,[object Object], (!user) ,[object Object], c.,[object Object],({ ,[object Object],: ,[object Object], }, ,[object Object],); ,[object Object], (!validPassword) ,[object Object], c.,[object Object],({ ,[object Object],: ,[object Object], }, ,[object Object],);
[object Object], ,[object Object], (!user || !validPassword) { ,[object Object], c.,[object Object],({ ,[object Object],: ,[object Object], }, ,[object Object],); }
问题三:JWT 缺少过期检查
[object Object], ,[object Object], ,[object Object],(,[object Object],) { ,[object Object], ,[object Object],( { ...payload, ,[object Object],: ,[object Object],.,[object Object],(,[object Object],.,[object Object],() / ,[object Object],) + ,[object Object], * ,[object Object], * ,[object Object], * ,[object Object], }, ,[object Object], secret ); }
总结清单
- [ ] 使用成熟库(hono/jwt、jose)而非手写验证
- [ ] 明确指定签名算法(HS256)
- [ ] 设置合理的 exp(7-30 天)
- [ ] 统一错误信息,避免信息泄露
- [ ] HTTPS 传输(Cloudflare 自动处理)