HIGH token leakagefeathersjshmac signatures

Token Leakage in Feathersjs with Hmac Signatures

Scan for token leakage in feathersjs

Token Leakage in Feathersjs with Hmac Signatures — how this specific combination creates or exposes the vulnerability

FeathersJS is a framework for real-time web applications that commonly uses JWTs for authentication. When Hmac Signatures are used to sign tokens, token leakage can still occur through multiple channels despite the cryptographic integrity of the signature. Token leakage refers to the unintended exposure of authentication tokens, which can lead to account takeover or privilege escalation.

One common scenario in FeathersJS applications is logging or debugging output that inadvertently includes the full token. For example, if an error handler prints the token to the console or includes it in error responses, attackers with log access can harvest valid tokens. Another vector is client-side storage: storing the Hmac-signed token in local storage or insecure cookies makes it susceptible to cross-site scripting (XSS) theft. Even with a strong Hmac signature, once the token is leaked, an attacker can replay it until expiration.

Additionally, misconfigured CORS or missing secure flags on cookies can expose tokens in transit or allow cross-origin leakage. FeathersJS services that rely on Hmac Signatures must ensure tokens are transmitted over HTTPS and are not embedded in URLs or query parameters, which can be logged in server access logs or browser history. The signature itself does not prevent leakage; it only ensures that a stolen token has not been tampered with. Therefore, protecting the token at every layer — storage, transmission, and handling — is essential.

Real-world patterns include services using the @feathersjs/authentication-jwt hook where the token is attached to the response object without proper sanitization. If the response is logged in full (e.g., via middleware or client-side debugging), the token is exposed. Another pattern is the use of non-HTTPS endpoints during development, which allows token interception on the network path.

Consider the OWASP API Top 10 risk Broken Object Level Authorization (BOLA); leaked tokens can directly enable BOLA attacks when an attacker uses a valid token to access another user’s resources. While Hmac Signatures protect integrity, they do not mitigate exposure. Proper remediation requires strict control over where and how tokens are stored, transmitted, and logged.

Hmac Signatures-Specific Remediation in Feathersjs — concrete code fixes

To mitigate token leakage when using Hmac Signatures in FeathersJS, focus on secure token handling, transport, and logging hygiene. Below are concrete code examples and configuration steps.

1. Secure Token Transmission with HTTPS and Secure Cookies

Ensure tokens are only sent over HTTPS and stored in cookies with the Secure and HttpOnly flags. Here is a FeathersJS hook that enforces secure transport:

const feathers = require('@feathersjs/feathers');
const express = require('@feathersjs/express');
const app = express(feathers());

app.configure(express.rest());
app.configure(express.socketio());

// Middleware to enforce HTTPS in production
app.use((req, res, next) => {
  if (process.env.NODE_ENV === 'production' && !req.secure) {
    return res.status(403).send('HTTPS required');
  }
  next();
});

// Configure authentication with secure cookies
const authentication = require('@feathersjs/authentication');
const jwt = require('@feathersjs/authentication-jwt');

app.configure(authentication({
  secret: process.env.AUTH_SECRET,
  strategies: ['jwt'],
  cookieOptions: {
    httpOnly: true,
    secure: process.env.NODE_ENV === 'production',
    sameSite: 'strict'
  }
}));

app.use('/authentication', authentication());
app.use('/authentication', jwt());

2. Avoid Logging Tokens in Error Handling

Ensure that error handlers do not include tokens in logs or responses. Customize the error formatter in FeathersJS:

app.set('errors', {
  formatter: (error, stack, options) => {
    // Remove token from error before logging
    const safeError = { ...error };
    if (safeError.accessToken) {
      safeError.accessToken = '[REDACTED]';
    }
    if (safeError.refreshToken) {
      safeError.refreshToken = '[REDACTED]';
    }
    if (process.env.NODE_ENV !== 'test') {
      console.error(safeError);
    }
    return safeError;
  }
});

3. Validate Token Storage on the Client

When using Hmac Signatures, instruct clients to store tokens in memory or in secure, same-site cookies rather than local storage. Example client-side initialization with secure settings:

import { AuthenticationService } from '@feathersjs/authentication-client';
import { JwtService } from '@feathersjs/authentication-client';

const authService = new AuthenticationService('/authentication', {
  storage: {
    getItem: (key) => sessionStorage.getItem(key),
    setItem: (key, value) => sessionStorage.setItem(key, value),
    removeItem: (key) => sessionStorage.removeItem(key)
  }
});

const jwt = new JwtService(authService);

4. Middleware to Strip Tokens from Logs

Add an Express middleware to scrub tokens from request logs:

app.use((req, res, next) => {
  if (req.headers.authorization) {
    req.headers.authorization = 'Bearer [REDACTED]';
  }
  next();
});

These steps ensure that Hmac-signed tokens remain protected against leakage while preserving the integrity checks provided by the signature mechanism.

Scan for token leakage in feathersjs Free API security scan

Frequently Asked Questions

Can Hmac-signed tokens in FeathersJS be safely stored in local storage?
No. Storing Hmac-signed tokens in local storage increases the risk of XSS-based token theft. Use secure, HttpOnly cookies or in-memory storage instead.
Does Hmac signature prevent token leakage in FeathersJS?
No. Hmac signatures ensure token integrity but do not prevent exposure. Secure storage, HTTPS, and logging hygiene are required to prevent leakage.

Related Pages

Token Leakage in FeathersjsToken leakage in Feathersjs applications exposes JWT tokens through URLs, logs, and insecure channels. Learn Feathersjs-Token Leakage with Hmac SignaturesLearn how HMAC signature tokens leak through logging, timing oracles, and network capture, with specific detection methoToken Leakage in Feathersjs on GcpDetect and remediate token leakage in FeathersJS on GCP with concrete hooks, Secret Manager integration, and IAM guidancToken Leakage in Feathersjs on KubernetesToken leakage in Feathersjs on Kubernetes: causes, log exposure, and secure configuration practices.Token Leakage in Feathersjs on NetlifyToken Leakage in FeathersJS on Netlify: causes, risks, and code fixes for secure cookies, headers, and Netlify configs.Token Leakage in Feathersjs on CloudflareToken leakage in Feathersjs behind Cloudflare: causes and remediation with secure code examples and CORS hardening.Owasp Api Top 10: Token Leakage in FeathersjsExplore OWASP API Top 10 Token Leakage in FeathersJS with real code examples, remediation steps, and how middleBrick scaHipaa: Token Leakage in FeathersjsHIPAA considerations for token leakage in FeathersJS, with secure token handling code examples and remediation guidance.Gdpr: Token Leakage in FeathersjsGDPR in FeathersJS token leakage: risks and concrete hook-based fixes to protect tokens and comply with data protection Nist: Token Leakage in FeathersjsExplore NIST controls for token leakage in FeathersJS—real code fixes, hooks, transport security, and remediation guidanToken Leakage in Feathersjs with DynamodbToken leakage in Feathersjs with DynamoDB: causes and concrete remediation code examples to prevent exposure of tokens iToken Leakage in Feathersjs with CockroachdbToken leakage in Feathersjs with Cockroachdb: causes, secure query patterns, and field filtering code examples.