Password Spraying in Fiber with Jwt Tokens

Password spraying is an authentication technique where an attacker uses a small number of commonly used passwords against many accounts, aiming to avoid account lockouts triggered by per-account rate limits. When an API built with Fiber issues JWT tokens after verifying user credentials, the interaction between session establishment and token issuance can expose behavior that aids spraying.

In a typical Fiber login handler, the application parses a JSON payload, looks up the user by identifier (such as email), and compares the supplied password with a stored hash. If the comparison fails, many implementations return a generic error and proceed without incrementing a per-identifier attempt counter. An attacker can therefore iterate through a list of users while supplying a single common password, invoking the login route repeatedly. Each request may result in a JWT token being issued only when credentials match, but the timing difference and HTTP status codes can reveal whether a given user exists, enabling the attacker to build a list of valid accounts for future targeted attacks.

Because JWT tokens are often used for stateless authentication, the API may rely on a predictable signing key and include claims such as subject and expiration. If login endpoints do not enforce global rate limiting or consistent response behavior across users, an attacker can launch a password spraying campaign that appears as distinct authentication attempts rather than a single credential brute-force against one account. This is particularly effective when the API does not throttle requests per IP, per user identifier, or per token issuance operation. Compromised credentials obtained via spraying can lead to unauthorized access, privilege escalation, and lateral movement within systems that trust the issued JWT tokens.

During a black-box scan, middleBrick evaluates whether the authentication surface exhibits timing or status-code inconsistencies across users, whether JWT tokens are issued after failed attempts, and whether rate limiting is applied at the appropriate layer. Findings are reported with severity ratings and remediation guidance, aligned with OWASP API Top 10 categories such as Broken Authentication and Excessive Data Exposure.

To mitigate password spraying risks while using JWT tokens in Fiber, ensure that authentication logic enforces consistent response behavior, applies rate limiting, and avoids leaking account existence through timing or status codes. Below are concrete code examples that demonstrate secure patterns for login and token issuance.

First, define a structure for credentials and a deterministic comparison flow. Use a constant-time comparison for password hashes and return the same HTTP status and generic message regardless of whether the user exists or the password is incorrect. This prevents attackers from inferring valid accounts.

// secure_login.go
package main

import (
	"context"
	"crypto/subtle"
	"net/http"
	"time"

	"github.com/gofiber/fiber/v2"
	"github.com/gofiber/fiber/v2/middleware/limiter"
	"github.com/golang-jwt/jwt/v5"
)

type Credentials struct {
	Email    string `json:"email"`
	Password string `json:"password"`
}

// Simulated user store and password hash comparison
func getUserByEmail(email string) (userID string, storedHash string, exists bool) {
	// Replace with real data access
	if email == "user@example.com" {
		return "123", "hashedpassword", true
	}
	return "", "", false
}

// Constant-time check to avoid timing leaks
func safeCompare(stored, supplied string) bool {
	return subtle.ConstantTimeCompare([]byte(stored), []byte(supplied)) == 1
}

// Dummy signing key and method; rotate in production
var jwtSecret = []byte("very-secure-secret-key-do-not-leak")

func issueToken(userID string) (string, error) {
	token := jwt.NewWithClaims(jwt.SigningMethodHS256, jwt.MapClaims{
		"sub": userID,
		"iat": time.Now().Unix(),
		"exp": time.Now().Add(time.Hour * time.Duration(24)).Unix(),
	})
	return token.SignedString(jwtSecret)
}

func loginHandler(c *fiber.Ctx) error {
	var creds Credentials
	if err := c.BodyParser(&creds); err != nil {
		// Always return the same status and message
		return c.Status(http.StatusUnauthorized).JSON(fiber.Map{"error": "invalid credentials"})
	}

	userID, storedHash, exists := getUserByEmail(creds.Email)
	// Simulate hash comparison even when user does not exist to prevent timing leaks
	suppliedHash := creds.Password // In practice, this would be a hash comparison
	_ = safeCompare(storedHash, suppliedHash)

	// Enforce rate limiting via middleware; ensure global limits are applied
	if !exists || !safeCompare(storedHash, suppliedHash) {
		// Delay to reduce timing distinguishability
		time.Sleep(500 * time.Millisecond)
		return c.Status(http.StatusUnauthorized).JSON(fiber.Map{"error": "invalid credentials"})
	}

	token, err := issueToken(userID)
	if err != nil {
		return c.Status(http.StatusInternalServerError).JSON(fiber.Map{"error": "authentication service unavailable"})
	}

	return c.JSON(fiber.Map{"token": token})
}

func main() {
	app := fiber.New()
	// Apply rate limiting to protect authentication endpoints
	app.Use("/login", limiter.New(limiter.Config{
		Max:        30,
		Expiration: 1 * time.Minute,
	}))

	app.Post("/login", loginHandler)
	app.Listen(":3000")
}

Second, enforce global rate limiting at a layer that applies across all users and endpoints issuing JWT tokens. The example above uses Fiber middleware to cap login attempts, but you should also monitor anomaly patterns such as repeated requests for different users with the same password. Combine this with secure token practices: set short expirations, use strong signing keys, and avoid embedding sensitive claims in the token payload.

Finally, validate and sanitize all inputs to reduce injection risks that could bypass authentication. middleBrick scans can verify that your login route exhibits consistent response behavior, enforces rate limits, and does not leak information via status codes or timing. Use the CLI (middlebrick scan <url>) or the GitHub Action to integrate checks into your CI/CD pipeline, and consider the Pro plan for continuous monitoring of authentication endpoints.