# Improper Authentication (CWE-287)

When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.

- Prevalence: 높음 자주 악용됨
- Impact: 치명적 2개의 치명적 심각도 규칙
- Prevention: 문서화됨 2개의 수정 예시

**OWASP:** Identification and Authentication Failures (A07:2021-Identification and Authentication Failures) - #7

## Description

Authentication is the process of determining if a claimed identity is correct. When authentication is insufficient or incorrect, attackers can assume the identity of legitimate users.

## Prevention

2개의 Shoulder 탐지 규칙을 기반으로 한 Improper Authentication 예방 전략.

### JavaScript

Use jwt.verify() instead of jwt.decode() when assigning user identity

### Python

Use early returns for authentication failures and constant-time comparison

## Warning Signs

- [CRITICAL] when jwt
- [CRITICAL] authentication checks that can be bypassed due to missing return statements or weak boolean logic

## Consequences

- 권한 획득
- 보호 메커니즘 우회
- 애플리케이션 데이터 읽기

## Mitigations

- 다중 인증(MFA)을 사용하세요
- 인증에는 검증된 라이브러리나 프레임워크를 사용하세요
- 적절한 비밀번호 정책을 구현하세요

## Detection

- Total rules: 2
- Critical: 2
- Languages: javascript, typescript, python

## Rules by Language

### Javascript (1 rules)

- **JWT Decode Used for User Identity (Authentication Bypass)** [CRITICAL]: Detects when jwt.decode() output is used for user identity, allowing complete authentication bypass since decode() does not verify signatures.
  - Remediation: Use jwt.verify() instead of jwt.decode() for authentication.

```javascript
const decoded = jwt.verify(token, process.env.JWT_SECRET, {
  algorithms: ['HS256']
});
req.user = decoded;
```

Learn more: https://shoulder.dev/learn/javascript/cwe-287/jwt-unverified-user-identity

### Typescript (1 rules)

- **JWT Decode Used for User Identity (Authentication Bypass)** [CRITICAL]: Detects when jwt.decode() output is used for user identity, allowing complete authentication bypass since decode() does not verify signatures.
  - Remediation: Use jwt.verify() instead of jwt.decode() for authentication.

```javascript
const decoded = jwt.verify(token, process.env.JWT_SECRET, {
  algorithms: ['HS256']
});
req.user = decoded;
```

Learn more: https://shoulder.dev/learn/javascript/cwe-287/jwt-unverified-user-identity

### Python (1 rules)

- **Authentication Bypass Vulnerability** [CRITICAL]: Detects authentication checks that can be bypassed due to missing return statements or weak boolean logic.
  - Remediation: Use early returns for authentication failures to prevent bypass.

```python
if not user or not check_password_hash(user.password_hash, password):
    return jsonify({'error': 'Invalid credentials'}), 401
```

Learn more: https://shoulder.dev/learn/python/cwe-287/authentication-bypass