Unicode Normalization in Feathersjs with Hmac Signatures

Unicode normalization inconsistencies can undermine Hmac signature verification in FeathersJS when user-controlled strings are included in the signed payload. FeathersJS allows hooks and services to process parameters such as userId, email addresses, or arbitrary metadata before signing data with Hmac. If the framework or application does not enforce a canonical normalization form, an attacker can supply equivalent but visually identical strings that produce different byte representations. For example, the character “é” can be represented as a single code point U+00E9 or as the two-code-point sequence U+0065 U+0301. Without normalization, these two forms may generate different Hmac outputs, enabling signature bypass or comparison confusion when the server normalizes differently than the client or an intermediary component.

In FeathersJS, this becomes a security concern when Hmac signatures are used for webhook verification, message authentication between services, or integrity checks of request payloads. An attacker who controls a parameter included in the signed data could exploit normalization mismatches to forge valid signatures or cause the application to accept tampered data. Consider a webhook handler that signs the entire JSON payload; if a client sends a user-supplied field such as email in a non-canonical Unicode form and the server normalizes it before signing, the signature verification will fail or, worse, succeed on a modified payload if the server incorrectly re-normalizes or compares strings.

Additionally, normalization issues interact with Hmac key handling and encoding. If FeathersJS or an underlying library decodes or encodes strings inconsistently—such as converting to UTF-8 at different stages—the byte sequence fed into the Hmac algorithm may diverge between sender and receiver. This can lead to subtle vulnerabilities where identical logical inputs produce different signatures, undermining integrity guarantees. Attack patterns such as injection through metadata fields or authentication bypass via crafted Unicode inputs become feasible when normalization is not applied deterministically before signing.

To detect such issues, middleBrick scans can identify whether an API endpoint accepts user-controlled string data used in security-sensitive operations like Hmac signing and whether normalization is applied consistently. The scanner checks for missing input validation controls and inconsistencies in string handling that could lead to signature confusion, providing prioritized findings and remediation guidance mapped to frameworks such as OWASP API Top 10 and relevant compliance standards.

Remediation centers on enforcing Unicode normalization before any data is included in the Hmac computation and ensuring consistent encoding across clients and servers. In FeathersJS, implement a normalization hook or service utility that transforms strings into a canonical form, such as NFC or NFD, using a stable library. Always normalize before concatenating or signing, and apply the same normalization to any data used for signature verification.

Below are concrete code examples for FeathersJS that demonstrate secure handling of Hmac signatures with Unicode normalization.

const crypto = require('crypto');
const { normalize } = require('unorm');

// Utility to create a stable Hmac signature
function createHmacSignature(payload, secret) {
  // Ensure string fields are normalized to NFC (or your chosen form)
  const normalizedPayload = Object.keys(payload).sort().map(key => {
    const value = typeof payload[key] === 'string' ? normalize.nfc(payload[key]) : payload[key];
    return `${key}=${value}`;
  }).join('&');

  return crypto.createHmac('sha256', secret).update(normalizedPayload, 'utf8').digest('hex');
}

// Example FeathersJS hook that adds an Hmac signature to headers
const { iff, isProvider } = require('feathers-hooks-common');

exports.hmacSign = context => {
  if (isProvider('external') && context.method === 'create') {
    const secret = process.env.HMAC_SECRET;
    const data = context.data;
    const signature = createHmacSignature(data, secret);
    context.headers['X-API-Signature'] = signature;
  }
  return context;
};

// Example verification in a FeathersJS service or hook
exports.verifyHmac = context => {
  const signature = context.headers['x-api-signature'];
  if (!signature) {
    throw new Error('Missing signature');
  }
  const secret = process.env.HMAC_SECRET;
  const data = context.data;
  const expected = createHmacSignature(data, secret);
  // Use timing-safe compare
  if (!crypto.timingSafeEqual(Buffer.from(signature), Buffer.from(expected))) {
    throw new Error('Invalid signature');
  }
  return context;
};

Key points in the examples:

• Normalization is applied to string values before inclusion in the signed payload using unorm to enforce NFC, which is widely adopted for canonical representation.
• Fields are sorted by key to ensure deterministic ordering, preventing signature divergence due to property order differences.
• A constant-time comparison using crypto.timingSafeEqual mitigates timing attacks on the signature verification.
• The signing logic is encapsulated in a reusable function, reducing the risk of inconsistent application across services or hooks.

For production use, maintain strict control over which fields are included in the signed payload and avoid incorporating user-controlled strings that could introduce normalization variability unless they are normalized consistently. middleBrick’s CLI can be used to scan FeathersJS endpoints for missing input validation and inconsistent string handling, providing actionable findings and remediation steps aligned with secure coding practices.