# Improper Authentication (CWE-287)

When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.

**Stack:** JavaScript

- Prevalence: Hoch Häufig ausgenutzt
- Impact: Kritisch 2 Regeln mit kritischem Schweregrad
- Prevention: Dokumentiert 2 Fix-Beispiele

**OWASP:** Identification and Authentication Failures (A07:2021-Identification and Authentication Failures) - #7

## Description

Authentication is the process of determining if a claimed identity is correct. When authentication is insufficient or incorrect, attackers can assume the identity of legitimate users.

## Prevention

Präventionsstrategien für Improper Authentication basierend auf 1 Shoulder-Erkennungsregeln.

### JavaScript

Use jwt.verify() instead of jwt.decode() when assigning user identity

## Warning Signs

- [CRITICAL] when jwt

## Consequences

- Privilegien erlangen
- Schutzmechanismus umgehen
- Anwendungsdaten lesen

## Mitigations

- Multi-Faktor-Authentifizierung verwenden
- Verwende für die Authentifizierung eine geprüfte Bibliothek oder ein Framework
- Geeignete Passwortrichtlinien umsetzen

## Detection

- Total rules: 2
- Critical: 2
- Languages: javascript, typescript, python

## Rules by Language

### Javascript (1 rules)

- **JWT Decode Used for User Identity (Authentication Bypass)** [CRITICAL]: Detects when jwt.decode() output is used for user identity, allowing complete authentication bypass since decode() does not verify signatures.
  - Remediation: Use jwt.verify() instead of jwt.decode() for authentication.

```javascript
const decoded = jwt.verify(token, process.env.JWT_SECRET, {
  algorithms: ['HS256']
});
req.user = decoded;
```

Learn more: https://shoulder.dev/learn/javascript/cwe-287/jwt-unverified-user-identity

### Typescript (1 rules)

- **JWT Decode Used for User Identity (Authentication Bypass)** [CRITICAL]: Detects when jwt.decode() output is used for user identity, allowing complete authentication bypass since decode() does not verify signatures.
  - Remediation: Use jwt.verify() instead of jwt.decode() for authentication.

```javascript
const decoded = jwt.verify(token, process.env.JWT_SECRET, {
  algorithms: ['HS256']
});
req.user = decoded;
```

Learn more: https://shoulder.dev/learn/javascript/cwe-287/jwt-unverified-user-identity