C
C#•10mo ago
Bordin

Securing API with jwt

Hey, I am building the apis for the user. After user logs in he receive a JWT token which gives him access to the rest of the APIs. He now have access to updating his profile picture API which requests two things 1- picture (PNG, gif, jpeg) 2- his Id After filling these the APIchecks if the id matches the IDhe has in his JWT with claims. If they don't the api will return "Unauthorized". However a user can easily mess around with JWT and change the claims values. He can change the role from User to Admin, he can change his Id in the claims too! I can stop asking the user for the id and just get it directly from the jwt token, but it is still not secure enough. thank you for your help
No description
15 Replies
Bordin
BordinOP•10mo ago
[Authorize]
        [HttpPut("UpdatePfp")]
        public async Task<IActionResult> UpdateProfilePicture([FromForm] UpdateUserProfilePicture ProfilePictureResources)
        {
            try
            {
                var userIdClaim = User.FindFirst(ClaimTypes.NameIdentifier);//userid from the jwt
                if (userIdClaim == null)
                {
                    // Handle case where user ID claim is missing
                    return Unauthorized();
                }
                string userId = userIdClaim.Value;//the value of the userid from the jwt
                
                var userResource = _mapper.Map<UpdateUserProfilePicture, User>(ProfilePictureResources);
                User user =await _userService.GetUserById(userResource.UserId);
                if(user.UserId.ToString() != userId)
                {
                    return Unauthorized(ModelState);
                } 
                ...  //update image   
[Authorize]
        [HttpPut("UpdatePfp")]
        public async Task<IActionResult> UpdateProfilePicture([FromForm] UpdateUserProfilePicture ProfilePictureResources)
        {
            try
            {
                var userIdClaim = User.FindFirst(ClaimTypes.NameIdentifier);//userid from the jwt
                if (userIdClaim == null)
                {
                    // Handle case where user ID claim is missing
                    return Unauthorized();
                }
                string userId = userIdClaim.Value;//the value of the userid from the jwt
                
                var userResource = _mapper.Map<UpdateUserProfilePicture, User>(ProfilePictureResources);
                User user =await _userService.GetUserById(userResource.UserId);
                if(user.UserId.ToString() != userId)
                {
                    return Unauthorized(ModelState);
                } 
                ...  //update image
Pobiega
Pobiega•10mo ago
The last section of a JWT is the signature If the token is modified in any way, the signature will be incorrect So just validate the signature as part of the pipeline
Bordin
BordinOP•10mo ago
doesn't asp.net validate the signature on its own?
Pobiega
Pobiega•10mo ago
Asp has no built in support for JWTs at sll
Bordin
BordinOP•10mo ago
Bearer i mean
Pobiega
Pobiega•10mo ago
So what are you using for it?
Bordin
BordinOP•10mo ago
 services
                .AddAuthorization()
                .AddAuthentication(options =>
                {
                    options.DefaultAuthenticateScheme = JwtBearerDefaults.AuthenticationScheme;
                    options.DefaultScheme = JwtBearerDefaults.AuthenticationScheme;
                    options.DefaultChallengeScheme = JwtBearerDefaults.AuthenticationScheme;
                })
 services
                .AddAuthorization()
                .AddAuthentication(options =>
                {
                    options.DefaultAuthenticateScheme = JwtBearerDefaults.AuthenticationScheme;
                    options.DefaultScheme = JwtBearerDefaults.AuthenticationScheme;
                    options.DefaultChallengeScheme = JwtBearerDefaults.AuthenticationScheme;
                })
shouldnt thise do it? let me test this and modify the jwt
Pobiega
Pobiega•10mo ago
are you doing AddAuthentication().AddJwtBearer(...) somewhere?
Bordin
BordinOP•10mo ago
you were right 
 access-control-allow-origin: * 
 content-length: 0 
 date: Sat,03 Feb 2024 15:54:06 GMT 
 server: Kestrel 
 www-authenticate: Bearer error="invalid_token",error_description="The signature key was not found" 
 access-control-allow-origin: * 
 content-length: 0 
 date: Sat,03 Feb 2024 15:54:06 GMT 
 server: Kestrel 
 www-authenticate: Bearer error="invalid_token",error_description="The signature key was not found"
Pobiega
Pobiega•10mo ago
and all you did was modify the claims right? you didnt outright remove the signature
Bordin
BordinOP•10mo ago
No i just modified the claims
Pobiega
Pobiega•10mo ago
k good 🙂
Bordin
BordinOP•10mo ago
Okay so do i even need to ask for the users id in the api? since i have it in the token
Pobiega
Pobiega•10mo ago
probably not
Bordin
BordinOP•10mo ago
this is awesome and so secure thank you!
Want results from more Discord servers?
Add your server