Share
## https://sploitus.com/exploit?id=FDA11F73-F96C-54AC-A13E-1645F1AFE068
# ๐Ÿ” Secure Auth API โ€” Built โ†’ Broken โ†’ Fixed

A hands-on security-focused Express.js API demonstrating real-world authentication and authorization vulnerabilities intentionally introduced, exploited, and then properly fixed.

This project was built to showcase practical backend security skills including JWT handling, access control, SQL injection prevention, rate limiting, and secure authorization design.

---

# ๐Ÿš€ Project Overview

This API supports:

- User registration and login
- JWT-based authentication
- Protected routes
- Notes CRUD operations
- Admin-only endpoint

It includes **five intentionally introduced vulnerabilities**, each documented with:

- Root cause
- Exploitation steps
- Security impact
- Proper fix implementation

---

# ๐Ÿ— Architecture

```

secure-auth-api/
โ”œโ”€โ”€ src/
โ”‚   โ”œโ”€โ”€ app.js
โ”‚   โ”œโ”€โ”€ db.js
โ”‚   โ”œโ”€โ”€ config.js
โ”‚   โ”œโ”€โ”€ auth/
โ”‚   โ”‚   โ”œโ”€โ”€ jwt.js
โ”‚   โ”‚   โ”œโ”€โ”€ middleware.js
โ”‚   โ”œโ”€โ”€ routes/
โ”‚   โ”‚   โ”œโ”€โ”€ auth.routes.js
โ”‚   โ”‚   โ”œโ”€โ”€ users.routes.js
โ”‚   โ”‚   โ”œโ”€โ”€ notes.routes.js
โ”‚   โ””โ”€โ”€ util/
โ”‚       โ”œโ”€โ”€ logger.js
โ”‚       โ”œโ”€โ”€ rateLimit.js
โ”‚
โ”œโ”€โ”€ attacks/
โ”‚   โ”œโ”€โ”€ 01-idor.md
โ”‚   โ”œโ”€โ”€ 02-sqli.md
โ”‚   โ”œโ”€โ”€ 03-weak-jwt.md
โ”‚   โ”œโ”€โ”€ 04-missing-rate-limit.md
โ”‚   โ””โ”€โ”€ 05-authz-bypass.md
โ”‚
โ”œโ”€โ”€ fixes/
โ”‚   โ”œโ”€โ”€ 01-idor.md
โ”‚   โ”œโ”€โ”€ 02-sqli.md
โ”‚   โ”œโ”€โ”€ 03-weak-jwt.md
โ”‚   โ”œโ”€โ”€ 04-rate-limit.md
โ”‚   โ””โ”€โ”€ 05-authz.md
โ”‚
โ”œโ”€โ”€ docker-compose.yml
โ””โ”€โ”€ README.md

```

---

# ๐Ÿงฑ Technology Stack

- Node.js
- Express.js
- PostgreSQL
- JWT (JSON Web Tokens)
- Docker
- PowerShell test scripts

---

# โ–ถ๏ธ How to Run

### 1๏ธโƒฃ Clone Repository

```

git clone 
cd secure-auth-api

```

### 2๏ธโƒฃ Configure Environment

Create `.env`:

```

JWT_SECRET=
JWT_EXPIRES_IN=15m

```

### 3๏ธโƒฃ Start with Docker

```

docker compose down -v
docker compose up --build


```

API runs at:

```

[http://localhost:3000](http://localhost:3000)

```

Login:

```

$respA = Invoke-RestMethod -Method Post -Uri "http://localhost:3000/auth/login" `
  -ContentType "application/json" `
  -Body (@{ email="a@example.com"; password="Passw0rd!" } | ConvertTo-Json)

$TOKEN_A = $respA.token


```

Health check:

```

GET /health
curl http://localhost:3000/health


```

---

# ๐Ÿ” Authentication Flow

1. `POST /auth/register`
2. `POST /auth/login`
3. Receive JWT
4. Use JWT in:

```

Authorization: Bearer 

```

Protected routes:

- `GET /me`
- `GET /notes`
- `POST /notes`
- `GET /notes/:id`
- `DELETE /notes/:id`
- `GET /admin/stats`

---

# ๐ŸŽฏ Vulnerabilities Demonstrated

## 1๏ธโƒฃ IDOR (Insecure Direct Object Reference)

- Accessing notes by ID without verifying ownership
- Fixed by enforcing owner validation in SQL query

---

## 2๏ธโƒฃ SQL Injection

- String concatenation in search query
- Exploitable via `OR 1=1`
- Fixed using parameterized queries

---

## 3๏ธโƒฃ Weak JWT Secret

- Hardcoded weak secret (`secret`)
- Tokens could be forged
- Fixed by enforcing strong environment-based secret

---

## 4๏ธโƒฃ Missing Rate Limiting

- Unlimited login attempts
- Enabled brute-force attacks
- Fixed with request throttling middleware

---

## 5๏ธโƒฃ Authorization Bypass (Privilege Escalation)

- Trusted `role` inside JWT
- Allowed forged admin tokens
- Fixed by verifying role from database

---

# ๐Ÿ›ก Security Principles Applied

- Proper JWT verification
- Strong secret management
- Parameterized SQL queries
- Rate limiting
- Server-side authorization enforcement
- Least privilege
- Defense in depth
- Do not trust client claims

---

# ๐Ÿงช Testing Attacks

Each vulnerability includes:

- Step-by-step reproduction
- Exploit commands
- Expected vulnerable behavior
- Post-fix validation

See:

```

/attacks
/fixes

```

---

# ๐Ÿ“š Threat Model (Simplified)

Assumed attacker capabilities:

- Authenticated user
- Ability to modify JWT payload
- Ability to send crafted HTTP requests
- No direct database access

Goals:

- Access other users' data
- Escalate privileges
- Extract unintended records
- Brute-force login

Mitigations implemented accordingly.

---

# ๐Ÿ“ˆ What This Project Demonstrates

- Practical backend security awareness
- Ability to intentionally create and analyze vulnerabilities
- Understanding of OWASP Top 10
- Secure coding practices
- Strong debugging and verification methodology
- Clear documentation skills

---

# ๐Ÿท OWASP Coverage

- A01 โ€“ Broken Access Control
- A03 โ€“ Injection
- A07 โ€“ Identification & Authentication Failures

---

# ๐Ÿ‘จโ€๐Ÿ’ป Author

Security-focused backend project built to demonstrate real-world vulnerability identification, exploitation, and remediation using modern Node.js architecture.

---

# ๐Ÿ“Œ Final Note

This project is intentionally educational.

It shows not only how vulnerabilities happen but how to fix them correctly.

Security is not about writing code.

It is about enforcing trust boundaries.