# JWT User-Controlled Secret

- ID: javascript-jwt-weak-secret
- Severity: CRITICAL
- CWE: Hardcoded Cryptographic Key (CWE-321)
- Languages: JavaScript, TypeScript
- Frameworks: express, fastify, nodejs

## Description

Detects JWT signing or verification using user-controlled secrets.

JWT security relies on keeping the secret key confidential. If an attacker can control or
influence the secret used for signing or verification, they can:
- Forge valid tokens for any user
- Bypass authentication entirely
- Impersonate other users

This includes:
- Using req.body.secret, req.query.secret directly as the JWT secret
- Allowing users to provide custom secrets for verification
- Using weak or predictable secrets from user input

## Detection Message

JWT {sink} uses user-controlled secret from {source}.
This allows attackers to forge valid tokens and bypass authentication.

## Remediation

Use server-side secrets from environment variables, never user input:

```javascript
const jwt = require('jsonwebtoken');

app.post('/api/auth/verify', (req, res) => {
  const { token } = req.body;
  try {
    const decoded = jwt.verify(token, process.env.JWT_SECRET, {
      algorithms: ['RS256']
    });
    res.json({ user: decoded });
  } catch (error) {
    res.status(401).json({ error: 'Invalid token' });
  }
});
```

Learn more: https://shoulder.dev/learn/javascript/cwe-321/jwt-weak-secret

## Documentation

[object Object]