API Authentication Bypass Through Parameter Manipulation and Logic Flaws

High Risk API Security
apiauthenticationbypassjwtsessionauthorizationprivilege-escalation

What it is

A high-severity vulnerability where attackers can bypass API authentication mechanisms through parameter manipulation, JWT tampering, session handling flaws, or logic errors in authentication implementations. This can lead to unauthorized access to protected resources, privilege escalation, and complete system compromise by allowing attackers to impersonate legitimate users or gain administrative access.

// VULNERABLE: Multiple authentication bypass vulnerabilities const express = require('express'); const jwt = require('jsonwebtoken'); const app = express(); // PROBLEM 1: Weak JWT validation function authenticateToken(req, res, next) { const token = req.headers.authorization?.split(' ')[1]; if (token) { // DANGEROUS: No signature verification const decoded = jwt.decode(token); if (decoded) { req.user = decoded; return next(); } } res.status(401).json({ error: 'Unauthorized' }); } // PROBLEM 2: Inconsistent method protection app.get('/api/users/:id', authenticateToken, (req, res) => { res.json(getUserById(req.params.id)); }); app.post('/api/users/:id', authenticateToken, (req, res) => { updateUser(req.params.id, req.body); res.json({ success: true }); }); // VULNERABLE: Missing authentication on PUT app.put('/api/users/:id', (req, res) => { updateUser(req.params.id, req.body); res.json({ success: true }); }); // PROBLEM 3: Parameter-based bypass app.use('/api/admin', (req, res, next) => { if (req.query.admin_key === 'secret123') { next(); } else { res.status(401).json({ error: 'Unauthorized' }); } }); // PROBLEM 4: Weak session handling app.post('/api/login', (req, res) => { const { username, password } = req.body; if (validateCredentials(username, password)) { const token = jwt.sign({ username }, 'weak-secret'); res.json({ token }); } else { res.status(401).json({ error: 'Invalid credentials' }); } }); // PROBLEM 5: OAuth without state validation app.get('/auth/callback', async (req, res) => { const { code } = req.query; const tokenResponse = await exchangeCodeForToken(code); const userInfo = await getUserInfo(tokenResponse.access_token); // Auto-create user without verification const user = await User.findOrCreate({ email: userInfo.email }); const token = jwt.sign({ userId: user.id }, 'weak-secret'); res.json({ token }); });
// SECURE: Comprehensive authentication security implementation const express = require('express'); const jwt = require('jsonwebtoken'); const crypto = require('crypto'); const rateLimit = require('express-rate-limit'); const helmet = require('helmet'); const redis = require('redis'); const app = express(); const redisClient = redis.createClient(process.env.REDIS_URL); const isProduction = process.env.NODE_ENV === 'production'; // Security middleware app.use(helmet()); app.use(express.json({ limit: '10mb' })); app.use(express.urlencoded({ extended: false })); // Rate limiting for authentication endpoints const authLimiter = rateLimit({ windowMs: 15 * 60 * 1000, // 15 minutes max: 5, // 5 attempts per window message: { error: 'Too many authentication attempts' }, standardHeaders: true, keyGenerator: (req) => `${req.ip}:${req.body.username || 'anonymous'}` }); // Secure JWT configuration const JWT_CONFIG = { algorithm: 'HS256', expiresIn: '15m', issuer: 'secure-api', audience: 'api-users' }; class SecureAuthManager { static async generateToken(payload) { const jti = crypto.randomUUID(); const tokenPayload = { ...payload, jti, iat: Math.floor(Date.now() / 1000), iss: JWT_CONFIG.issuer, aud: JWT_CONFIG.audience }; return jwt.sign(tokenPayload, process.env.JWT_SECRET, JWT_CONFIG); } static async verifyToken(token) { try { const decoded = jwt.verify(token, process.env.JWT_SECRET, { algorithms: [JWT_CONFIG.algorithm], issuer: JWT_CONFIG.issuer, audience: JWT_CONFIG.audience }); // Check token blacklist const isBlacklisted = await redisClient.get(`blacklist:${decoded.jti}`); if (isBlacklisted) { throw new Error('Token revoked'); } // Verify user is still active const user = await User.findById(decoded.userId); if (!user || !user.isActive) { throw new Error('User inactive'); } return decoded; } catch (error) { throw new Error(`Token validation failed: ${error.message}`); } } static async revokeToken(token) { try { const decoded = jwt.decode(token); if (decoded?.jti && decoded?.exp) { const ttl = decoded.exp - Math.floor(Date.now() / 1000); if (ttl > 0) { await redisClient.setex(`blacklist:${decoded.jti}`, ttl, 'revoked'); } } } catch (error) { console.error('Token revocation error:', error); } } } // Secure authentication middleware function authenticateToken(req, res, next) { const authHeader = req.headers.authorization; const token = authHeader && authHeader.split(' ')[1]; if (!token) { return res.status(401).json({ error: 'Access token required', code: 'TOKEN_MISSING' }); } SecureAuthManager.verifyToken(token) .then(decoded => { req.user = decoded; req.tokenJti = decoded.jti; next(); }) .catch(error => { console.warn('Authentication failed:', { error: error.message, ip: req.ip, userAgent: req.get('User-Agent') }); res.status(401).json({ error: 'Invalid token', code: 'TOKEN_INVALID' }); }); } // Secure admin authentication class AdminAuth { static async validateApiKey(req, res, next) { const apiKey = req.headers['x-api-key']; if (!apiKey || !this.isValidFormat(apiKey)) { return res.status(401).json({ error: 'Valid API key required', code: 'API_KEY_INVALID' }); } try { const hashedKey = crypto.createHash('sha256').update(apiKey).digest('hex'); const keyInfo = await ApiKey.findOne({ hashedKey, isActive: true, role: 'admin', expiresAt: { $gt: new Date() } }).populate('user'); if (!keyInfo) { throw new Error('API key not found'); } req.apiKey = keyInfo; req.user = keyInfo.user; next(); } catch (error) { res.status(401).json({ error: 'API key validation failed', code: 'API_KEY_VALIDATION_FAILED' }); } } static isValidFormat(key) { return /^[a-f0-9]{64}$/i.test(key); } } // Apply authentication to ALL HTTP methods function protectAllMethods(authMiddleware) { return (req, res, next) => { if (req.method === 'OPTIONS') { return next(); } authMiddleware(req, res, next); }; } // Secure OAuth state management class OAuthManager { static generateState() { return crypto.randomBytes(32).toString('hex'); } static async storeState(state, data) { await redisClient.setex(`oauth_state:${state}`, 600, JSON.stringify(data)); } static async validateState(state) { const key = `oauth_state:${state}`; const data = await redisClient.get(key); if (!data) { throw new Error('Invalid OAuth state'); } await redisClient.del(key); return JSON.parse(data); } } // Apply security to all user routes app.use('/api/users/*', protectAllMethods(authenticateToken)); app.use('/api/admin/*', protectAllMethods(AdminAuth.validateApiKey.bind(AdminAuth))); // Secure login endpoint app.post('/api/login', authLimiter, async (req, res) => { const { username, password } = req.body; try { const user = await authenticateUser(username, password); if (!user) { return res.status(401).json({ error: 'Invalid credentials', code: 'INVALID_CREDENTIALS' }); } const token = await SecureAuthManager.generateToken({ userId: user.id, username: user.username, role: user.role }); res.json({ token, user: { id: user.id, username: user.username, role: user.role } }); } catch (error) { console.error('Login error:', error); res.status(500).json({ error: 'Login failed', code: 'LOGIN_ERROR' }); } }); // Secure logout app.post('/api/logout', authenticateToken, async (req, res) => { try { const token = req.headers.authorization?.split(' ')[1]; if (token) { await SecureAuthManager.revokeToken(token); } res.json({ success: true }); } catch (error) { console.error('Logout error:', error); res.status(500).json({ error: 'Logout failed' }); } }); // Protected routes with consistent authentication app.get('/api/users/:id', (req, res) => { const user = getUserById(req.params.id); res.json(user); }); app.post('/api/users/:id', (req, res) => { updateUser(req.params.id, req.body); res.json({ success: true }); }); app.put('/api/users/:id', (req, res) => { updateUser(req.params.id, req.body); res.json({ success: true }); }); app.patch('/api/users/:id', (req, res) => { updateUser(req.params.id, req.body); res.json({ success: true }); }); app.delete('/api/users/:id', (req, res) => { deleteUser(req.params.id); res.json({ success: true }); }); // Secure OAuth flow app.get('/auth/google', async (req, res) => { try { const state = OAuthManager.generateState(); const nonce = crypto.randomBytes(16).toString('hex'); await OAuthManager.storeState(state, { timestamp: Date.now(), ip: req.ip, nonce }); const authUrl = `https://accounts.google.com/o/oauth2/auth?` + `client_id=${process.env.GOOGLE_CLIENT_ID}&` + `redirect_uri=${encodeURIComponent(process.env.OAUTH_REDIRECT_URI)}&` + `scope=openid email profile&` + `response_type=code&` + `state=${state}&` + `nonce=${nonce}`; res.redirect(authUrl); } catch (error) { res.status(500).json({ error: 'OAuth initiation failed' }); } }); app.get('/auth/callback', async (req, res) => { const { code, state } = req.query; try { if (!code || !state) { throw new Error('Missing code or state'); } const stateData = await OAuthManager.validateState(state); // Exchange code for tokens and validate const tokenData = await exchangeCodeForToken(code); const userInfo = await validateAndGetUserInfo(tokenData); // Secure user creation/lookup let user = await User.findOne({ email: userInfo.email, provider: 'google' }); if (!user && userInfo.verified_email) { user = await User.create({ email: userInfo.email, name: userInfo.name, provider: 'google', isEmailVerified: true }); } if (!user) { throw new Error('User creation failed'); } const token = await SecureAuthManager.generateToken({ userId: user.id, username: user.username, role: user.role }); res.redirect(`/dashboard?token=${token}`); } catch (error) { console.error('OAuth callback error:', error); res.redirect('/login?error=oauth_failed'); } });

💡 Why This Fix Works

The secure implementation addresses all major authentication bypass vulnerabilities through proper JWT validation with algorithm whitelisting, consistent authentication across all HTTP methods, secure parameter handling, robust session management, and comprehensive OAuth security with state validation. It includes rate limiting, token blacklisting, and comprehensive error handling while maintaining security best practices.

Why it happens

APIs that improperly validate JWT tokens are vulnerable to bypass attacks through token manipulation, algorithm confusion attacks, or weak signature verification. Attackers can modify token claims, exploit 'none' algorithm acceptance, or use publicly known keys to forge valid tokens.

Root causes

JWT Token Manipulation and Weak Validation

APIs that improperly validate JWT tokens are vulnerable to bypass attacks through token manipulation, algorithm confusion attacks, or weak signature verification. Attackers can modify token claims, exploit 'none' algorithm acceptance, or use publicly known keys to forge valid tokens.

Preview example – JAVASCRIPT 
// VULNERABLE: Weak JWT validation in Express.js
const jwt = require('jsonwebtoken');
const express = require('express');

const app = express();

// PROBLEM 1: Missing signature verification
function authenticateToken(req, res, next) {
    const token = req.headers.authorization?.split(' ')[1];
    
    if (!token) {
        return res.status(401).json({ error: 'Access token required' });
    }
    
    try {
        // DANGEROUS: Decoding without verification
        const decoded = jwt.decode(token);
        
        // PROBLEM 2: Not verifying signature
        if (decoded && decoded.userId) {
            req.user = decoded;
            next();
        } else {
            res.status(401).json({ error: 'Invalid token' });
        }
    } catch (error) {
        res.status(401).json({ error: 'Invalid token' });
    }
}

// PROBLEM 3: Accepts any algorithm including 'none'
function verifyTokenWeak(token) {
    try {
        // VULNERABLE: No algorithm specification
        return jwt.verify(token, process.env.JWT_SECRET);
    } catch (error) {
        return null;
    }
}

// Attack scenarios:
// 1. Change algorithm to 'none': {"alg":"none","typ":"JWT"}
// 2. Modify userId in payload: {"userId":"admin","role":"admin"}
// 3. Use weak/leaked secrets to forge tokens
// 4. Algorithm confusion: use HS256 secret as RS256 public key

Parameter Pollution and HTTP Method Bypass

Authentication mechanisms that rely on specific parameters or HTTP methods can be bypassed through parameter pollution, method override attacks, or by exploiting inconsistencies in how different middleware handles the same parameters.

Preview example – JAVASCRIPT 
// VULNERABLE: Parameter-based authentication bypass
const express = require('express');
const app = express();

// PROBLEM: Authentication based on URL parameters
app.use('/api/admin', (req, res, next) => {
    const apiKey = req.query.api_key || req.body.api_key || req.headers['x-api-key'];
    
    // VULNERABLE: Simple string comparison
    if (apiKey === process.env.ADMIN_API_KEY) {
        req.isAdmin = true;
        next();
    } else {
        res.status(401).json({ error: 'Unauthorized' });
    }
});

// PROBLEM: HTTP method-based access control
app.get('/api/users/:id', (req, res) => {
    // Anyone can read
    const user = getUserById(req.params.id);
    res.json(user);
});

app.post('/api/users/:id', authenticateToken, (req, res) => {
    // Only authenticated users can modify
    updateUser(req.params.id, req.body);
    res.json({ success: true });
});

// VULNERABLE: Missing authentication on PUT/PATCH
app.put('/api/users/:id', (req, res) => {
    // BYPASS: No authentication required!
    updateUser(req.params.id, req.body);
    res.json({ success: true });
});

// Attack scenarios:
// 1. Parameter pollution: ?api_key=wrong&api_key=correct
// 2. Method override: X-HTTP-Method-Override: GET
// 3. Case manipulation: Api_Key vs api_key
// 4. Array injection: api_key[]=value
// 5. Use unprotected HTTP methods (PUT instead of POST)

Session Handling and Cookie Manipulation

APIs using session-based authentication with weak session validation, predictable session IDs, or improper cookie handling are vulnerable to session hijacking, fixation, and manipulation attacks that bypass authentication controls.

Preview example – JAVASCRIPT 
// VULNERABLE: Weak session-based authentication
const express = require('express');
const session = require('express-session');
const crypto = require('crypto');

const app = express();

// PROBLEM 1: Weak session configuration
app.use(session({
    secret: 'simple-secret',          // Weak secret
    resave: false,
    saveUninitialized: true,
    cookie: {
        secure: false,               // PROBLEM: Not secure in production
        httpOnly: false,             // PROBLEM: Accessible via JavaScript
        maxAge: 86400000 * 365       // PROBLEM: 1 year expiration
    }
}));

// PROBLEM 2: Predictable session tokens
function generateSessionId() {
    // VULNERABLE: Predictable session generation
    return 'sess_' + Date.now() + '_' + Math.random().toString(36).substr(2, 5);
}

// PROBLEM 3: Insufficient session validation
function validateSession(req, res, next) {
    const sessionId = req.cookies.sessionId || req.headers['x-session-id'];
    
    if (sessionId) {
        // VULNERABLE: No signature verification
        const session = getSessionFromStore(sessionId);
        
        if (session) {
            // PROBLEM: No expiration check
            req.user = session.user;
            next();
        } else {
            res.status(401).json({ error: 'Invalid session' });
        }
    } else {
        res.status(401).json({ error: 'Session required' });
    }
}

// PROBLEM 4: Session fixation vulnerability
app.post('/api/login', (req, res) => {
    const { username, password } = req.body;
    
    if (validateCredentials(username, password)) {
        // VULNERABLE: Reusing existing session ID
        req.session.user = { username, id: getUserId(username) };
        
        res.json({ success: true });
    } else {
        res.status(401).json({ error: 'Invalid credentials' });
    }
});

// Attack scenarios:
// 1. Session prediction: Generate sequential session IDs
// 2. Session fixation: Set session ID before authentication
// 3. Cookie manipulation: Modify session data in client
// 4. Session hijacking: Steal session cookies via XSS

OAuth and Third-Party Authentication Bypass

APIs implementing OAuth or third-party authentication services with improper state validation, redirect URI validation, or token verification are vulnerable to authentication bypass through OAuth flows manipulation and CSRF attacks.

Preview example – JAVASCRIPT 
// VULNERABLE: OAuth implementation with security flaws
const express = require('express');
const axios = require('axios');
const app = express();

// PROBLEM 1: Missing state parameter validation
app.get('/auth/google', (req, res) => {
    const googleAuthUrl = 'https://accounts.google.com/o/oauth2/auth' +
        '?client_id=' + process.env.GOOGLE_CLIENT_ID +
        '&redirect_uri=' + encodeURIComponent('http://localhost:3000/auth/google/callback') +
        '&scope=email profile' +
        '&response_type=code';
        // MISSING: &state=random_csrf_token
    
    res.redirect(googleAuthUrl);
});

// PROBLEM 2: Insufficient callback validation
app.get('/auth/google/callback', async (req, res) => {
    const { code, state } = req.query;
    
    // PROBLEM: No state validation for CSRF protection
    if (!code) {
        return res.status(400).json({ error: 'Authorization code required' });
    }
    
    try {
        // Exchange code for access token
        const tokenResponse = await axios.post('https://oauth2.googleapis.com/token', {
            client_id: process.env.GOOGLE_CLIENT_ID,
            client_secret: process.env.GOOGLE_CLIENT_SECRET,
            code: code,
            grant_type: 'authorization_code',
            // PROBLEM: Redirect URI not validated
            redirect_uri: req.query.redirect_uri || 'http://localhost:3000/auth/google/callback'
        });
        
        const accessToken = tokenResponse.data.access_token;
        
        // PROBLEM 3: Insufficient token validation
        const userResponse = await axios.get('https://www.googleapis.com/oauth2/v2/userinfo', {
            headers: { Authorization: `Bearer ${accessToken}` }
        });
        
        const userInfo = userResponse.data;
        
        // PROBLEM 4: Auto-registration without verification
        let user = await User.findOne({ email: userInfo.email });
        if (!user) {
            // DANGEROUS: Auto-create user without email verification
            user = await User.create({
                email: userInfo.email,
                name: userInfo.name,
                provider: 'google'
            });
        }
        
        // Create session without additional checks
        req.session.user = user;
        res.redirect('/dashboard');
        
    } catch (error) {
        res.status(500).json({ error: 'Authentication failed' });
    }
});

// Attack scenarios:
// 1. CSRF: Initiate OAuth flow for victim using attacker's account
// 2. Redirect URI manipulation: Change redirect to attacker-controlled domain
// 3. Code interception: Steal authorization code in transit
// 4. Account linking: Link victim's account to attacker's OAuth profile

Fixes

1

Implement Robust JWT Validation with Algorithm Whitelisting

Properly validate JWT tokens by verifying signatures, enforcing algorithm whitelisting, checking expiration times, and implementing additional security measures like token blacklisting and key rotation.

View implementation – JAVASCRIPT 
const jwt = require('jsonwebtoken');
const redis = require('redis');
const crypto = require('crypto');

const redisClient = redis.createClient(process.env.REDIS_URL);

// Secure JWT configuration
const JWT_CONFIG = {
    algorithm: 'HS256',           // Explicit algorithm
    expiresIn: '15m',            // Short expiration
    issuer: 'your-api-service',  // Verify issuer
    audience: 'your-api-users'   // Verify audience
};

// Token blacklist for logout/revocation
const BLACKLIST_PREFIX = 'blacklist_token:';

class SecureJWTAuth {
    static async generateToken(payload) {
        const jti = crypto.randomUUID(); // Unique token ID
        
        const tokenPayload = {
            ...payload,
            jti,
            iat: Math.floor(Date.now() / 1000),
            iss: JWT_CONFIG.issuer,
            aud: JWT_CONFIG.audience
        };
        
        return jwt.sign(tokenPayload, process.env.JWT_SECRET, {
            algorithm: JWT_CONFIG.algorithm,
            expiresIn: JWT_CONFIG.expiresIn
        });
    }
    
    static async verifyToken(token) {
        try {
            // Step 1: Verify signature and basic claims
            const decoded = jwt.verify(token, process.env.JWT_SECRET, {
                algorithms: [JWT_CONFIG.algorithm], // Whitelist specific algorithm
                issuer: JWT_CONFIG.issuer,
                audience: JWT_CONFIG.audience
            });
            
            // Step 2: Check if token is blacklisted
            const isBlacklisted = await redisClient.get(BLACKLIST_PREFIX + decoded.jti);
            if (isBlacklisted) {
                throw new Error('Token has been revoked');
            }
            
            // Step 3: Additional security checks
            if (decoded.exp && decoded.exp < Math.floor(Date.now() / 1000)) {
                throw new Error('Token has expired');
            }
            
            // Step 4: Check user still exists and is active
            const user = await User.findById(decoded.userId);
            if (!user || !user.isActive) {
                throw new Error('User account is inactive');
            }
            
            return decoded;
        } catch (error) {
            throw new Error(`Token validation failed: ${error.message}`);
        }
    }
    
    static async revokeToken(token) {
        try {
            const decoded = jwt.decode(token);
            if (decoded?.jti && decoded?.exp) {
                const ttl = decoded.exp - Math.floor(Date.now() / 1000);
                if (ttl > 0) {
                    await redisClient.setex(BLACKLIST_PREFIX + decoded.jti, ttl, 'revoked');
                }
            }
        } catch (error) {
            console.error('Error revoking token:', error);
        }
    }
}

// Secure authentication middleware
function authenticateToken(req, res, next) {
    const authHeader = req.headers.authorization;
    const token = authHeader && authHeader.split(' ')[1];
    
    if (!token) {
        return res.status(401).json({ 
            error: 'Access token required',
            code: 'TOKEN_MISSING'
        });
    }
    
    SecureJWTAuth.verifyToken(token)
        .then(decoded => {
            req.user = decoded;
            req.tokenJti = decoded.jti;
            next();
        })
        .catch(error => {
            console.warn('Authentication failed:', {
                error: error.message,
                ip: req.ip,
                userAgent: req.get('User-Agent'),
                timestamp: new Date().toISOString()
            });
            
            res.status(401).json({ 
                error: 'Invalid or expired token',
                code: 'TOKEN_INVALID'
            });
        });
}
2

Implement Consistent Parameter Validation and HTTP Method Protection

Ensure consistent authentication across all HTTP methods and implement proper parameter validation that prevents pollution attacks and method-based bypasses.

View implementation – JAVASCRIPT 
const express = require('express');
const rateLimit = require('express-rate-limit');
const validator = require('validator');

const app = express();

// Centralized authentication validation
class AuthValidator {
    static validateApiKey(req, res, next) {
        // Get API key from multiple sources but validate consistently
        const apiKey = this.extractApiKey(req);
        
        if (!apiKey) {
            return res.status(401).json({ 
                error: 'API key required',
                code: 'API_KEY_MISSING'
            });
        }
        
        // Validate API key format
        if (!this.isValidApiKeyFormat(apiKey)) {
            return res.status(401).json({ 
                error: 'Invalid API key format',
                code: 'API_KEY_INVALID_FORMAT'
            });
        }
        
        // Verify API key against database
        this.verifyApiKey(apiKey)
            .then(keyInfo => {
                if (!keyInfo || !keyInfo.isActive) {
                    throw new Error('API key not found or inactive');
                }
                
                req.apiKey = keyInfo;
                req.user = keyInfo.user;
                next();
            })
            .catch(error => {
                console.warn('API key validation failed:', {
                    error: error.message,
                    ip: req.ip,
                    userAgent: req.get('User-Agent')
                });
                
                res.status(401).json({ 
                    error: 'Invalid API key',
                    code: 'API_KEY_INVALID'
                });
            });
    }
    
    static extractApiKey(req) {
        // Priority order for API key sources
        const sources = [
            req.headers['x-api-key'],
            req.headers['authorization']?.replace(/^Bearer\s+/i, ''),
            req.query.api_key,
            req.body?.api_key
        ];
        
        // Return first non-empty, properly formatted key
        for (const key of sources) {
            if (key && typeof key === 'string' && key.trim()) {
                return key.trim();
            }
        }
        
        return null;
    }
    
    static isValidApiKeyFormat(key) {
        // Validate API key format (example: 32 hex characters)
        return /^[a-f0-9]{32}$/i.test(key);
    }
    
    static async verifyApiKey(key) {
        // Hash the key for database lookup
        const hashedKey = crypto.createHash('sha256').update(key).digest('hex');
        
        return await ApiKey.findOne({ 
            hashedKey,
            isActive: true,
            expiresAt: { $gt: new Date() }
        }).populate('user');
    }
}

// HTTP method protection middleware
function protectAllMethods(authMiddleware) {
    return (req, res, next) => {
        // Apply authentication to ALL HTTP methods
        const allowedMethods = ['GET', 'POST', 'PUT', 'PATCH', 'DELETE', 'HEAD', 'OPTIONS'];
        
        if (!allowedMethods.includes(req.method)) {
            return res.status(405).json({ 
                error: 'Method not allowed',
                allowed: allowedMethods
            });
        }
        
        // Skip authentication only for OPTIONS (CORS preflight)
        if (req.method === 'OPTIONS') {
            return next();
        }
        
        // Apply authentication middleware
        authMiddleware(req, res, next);
    };
}

// Parameter pollution protection
function preventParameterPollution(req, res, next) {
    // Check for parameter pollution in query string
    for (const [key, value] of Object.entries(req.query)) {
        if (Array.isArray(value)) {
            console.warn('Parameter pollution detected:', {
                parameter: key,
                values: value,
                ip: req.ip,
                userAgent: req.get('User-Agent')
            });
            
            return res.status(400).json({ 
                error: 'Parameter pollution detected',
                parameter: key
            });
        }
    }
    
    next();
}

// Apply security middleware globally
app.use(preventParameterPollution);

// Protected route with consistent authentication
const authMiddleware = AuthValidator.validateApiKey.bind(AuthValidator);
const protectedRoute = protectAllMethods(authMiddleware);

// Apply to ALL methods for these routes
app.use('/api/admin/*', protectedRoute);
app.use('/api/users/:id', protectedRoute);

// Route handlers
app.get('/api/users/:id', (req, res) => {
    const user = getUserById(req.params.id);
    res.json(user);
});

app.post('/api/users/:id', (req, res) => {
    updateUser(req.params.id, req.body);
    res.json({ success: true });
});

app.put('/api/users/:id', (req, res) => {
    updateUser(req.params.id, req.body);
    res.json({ success: true });
});

app.patch('/api/users/:id', (req, res) => {
    updateUser(req.params.id, req.body);
    res.json({ success: true });
});

app.delete('/api/users/:id', (req, res) => {
    deleteUser(req.params.id);
    res.json({ success: true });
});
3

Secure Session Management with Strong Validation

Implement secure session handling with proper configuration, strong session ID generation, signature verification, and protection against session-based attacks.

View implementation – JAVASCRIPT 
const express = require('express');
const session = require('express-session');
const RedisStore = require('connect-redis')(session);
const redis = require('redis');
const crypto = require('crypto');
const csrf = require('csurf');

const app = express();
const redisClient = redis.createClient(process.env.REDIS_URL);
const isProduction = process.env.NODE_ENV === 'production';

// Secure session configuration
app.use(session({
    store: new RedisStore({ client: redisClient }),
    secret: process.env.SESSION_SECRET,  // Strong random secret
    name: 'sessionId',                   // Custom session name
    resave: false,
    saveUninitialized: false,           // Don't save empty sessions
    rolling: true,                      // Reset expiration on activity
    cookie: {
        secure: isProduction,           // HTTPS only in production
        httpOnly: true,                 // Not accessible via JavaScript
        maxAge: 30 * 60 * 1000,        // 30 minutes
        sameSite: 'strict'             // CSRF protection
    },
    genid: () => {
        // Generate cryptographically secure session ID
        return crypto.randomBytes(32).toString('hex');
    }
}));

// CSRF protection
const csrfProtection = csrf({ 
    cookie: {
        secure: isProduction,
        httpOnly: true,
        sameSite: 'strict'
    }
});

class SecureSessionManager {
    static createSession(req, user) {
        // Regenerate session ID to prevent fixation
        return new Promise((resolve, reject) => {
            req.session.regenerate((err) => {
                if (err) {
                    return reject(err);
                }
                
                // Set session data
                req.session.user = {
                    id: user.id,
                    username: user.username,
                    role: user.role,
                    loginTime: new Date().toISOString(),
                    ipAddress: req.ip,
                    userAgent: req.get('User-Agent')
                };
                
                // Add session fingerprint for additional security
                req.session.fingerprint = crypto
                    .createHash('sha256')
                    .update(req.ip + req.get('User-Agent') + process.env.SESSION_SECRET)
                    .digest('hex');
                
                req.session.save((err) => {
                    if (err) {
                        return reject(err);
                    }
                    resolve(req.session);
                });
            });
        });
    }
    
    static validateSession(req, res, next) {
        if (!req.session || !req.session.user) {
            return res.status(401).json({ 
                error: 'Authentication required',
                code: 'SESSION_MISSING'
            });
        }
        
        // Validate session fingerprint
        const expectedFingerprint = crypto
            .createHash('sha256')
            .update(req.ip + req.get('User-Agent') + process.env.SESSION_SECRET)
            .digest('hex');
        
        if (req.session.fingerprint !== expectedFingerprint) {
            console.warn('Session fingerprint mismatch:', {
                sessionId: req.sessionID,
                ip: req.ip,
                userAgent: req.get('User-Agent'),
                userId: req.session.user?.id
            });
            
            // Destroy suspicious session
            req.session.destroy((err) => {
                if (err) console.error('Error destroying session:', err);
            });
            
            return res.status(401).json({ 
                error: 'Session security validation failed',
                code: 'SESSION_FINGERPRINT_MISMATCH'
            });
        }
        
        // Check session age
        const loginTime = new Date(req.session.user.loginTime);
        const maxSessionAge = 8 * 60 * 60 * 1000; // 8 hours
        
        if (Date.now() - loginTime.getTime() > maxSessionAge) {
            req.session.destroy((err) => {
                if (err) console.error('Error destroying expired session:', err);
            });
            
            return res.status(401).json({ 
                error: 'Session expired',
                code: 'SESSION_EXPIRED'
            });
        }
        
        // Verify user still exists and is active
        User.findById(req.session.user.id)
            .then(user => {
                if (!user || !user.isActive) {
                    throw new Error('User not found or inactive');
                }
                
                req.user = user;
                next();
            })
            .catch(error => {
                console.warn('User validation failed:', {
                    error: error.message,
                    sessionId: req.sessionID,
                    userId: req.session.user?.id
                });
                
                req.session.destroy((err) => {
                    if (err) console.error('Error destroying invalid session:', err);
                });
                
                res.status(401).json({ 
                    error: 'User validation failed',
                    code: 'USER_INVALID'
                });
            });
    }
    
    static destroySession(req) {
        return new Promise((resolve, reject) => {
            req.session.destroy((err) => {
                if (err) {
                    return reject(err);
                }
                resolve();
            });
        });
    }
}

// Apply session validation to protected routes
app.use('/api/protected/*', SecureSessionManager.validateSession);
app.use('/api/protected/*', csrfProtection);

// Secure login endpoint
app.post('/api/login', async (req, res) => {
    const { username, password } = req.body;
    
    try {
        const user = await authenticateUser(username, password);
        
        if (!user) {
            return res.status(401).json({ 
                error: 'Invalid credentials',
                code: 'INVALID_CREDENTIALS'
            });
        }
        
        await SecureSessionManager.createSession(req, user);
        
        res.json({ 
            success: true,
            user: {
                id: user.id,
                username: user.username,
                role: user.role
            },
            csrfToken: req.csrfToken()
        });
        
    } catch (error) {
        console.error('Login error:', error);
        res.status(500).json({ 
            error: 'Login failed',
            code: 'LOGIN_ERROR'
        });
    }
});

// Secure logout endpoint
app.post('/api/logout', SecureSessionManager.validateSession, async (req, res) => {
    try {
        await SecureSessionManager.destroySession(req);
        res.json({ success: true });
    } catch (error) {
        console.error('Logout error:', error);
        res.status(500).json({ 
            error: 'Logout failed',
            code: 'LOGOUT_ERROR'
        });
    }
});
4

Secure OAuth Implementation with Proper State Validation

Implement OAuth flows with comprehensive security measures including state validation, redirect URI verification, and proper token handling to prevent authentication bypass.

View implementation – JAVASCRIPT 
const express = require('express');
const crypto = require('crypto');
const axios = require('axios');
const jwt = require('jsonwebtoken');
const redis = require('redis');

const app = express();
const redisClient = redis.createClient(process.env.REDIS_URL);

class SecureOAuthHandler {
    static generateSecureState() {
        return crypto.randomBytes(32).toString('hex');
    }
    
    static async storeOAuthState(state, data) {
        // Store state with 10 minute expiration
        await redisClient.setex(`oauth_state:${state}`, 600, JSON.stringify(data));
    }
    
    static async validateAndConsumeState(state) {
        const key = `oauth_state:${state}`;
        const data = await redisClient.get(key);
        
        if (!data) {
            throw new Error('Invalid or expired OAuth state');
        }
        
        // Delete state to prevent reuse
        await redisClient.del(key);
        
        return JSON.parse(data);
    }
    
    static validateRedirectUri(uri, allowedUris) {
        try {
            const url = new URL(uri);
            
            // Check against whitelist of allowed redirect URIs
            return allowedUris.some(allowed => {
                const allowedUrl = new URL(allowed);
                return url.origin === allowedUrl.origin && 
                       url.pathname === allowedUrl.pathname;
            });
        } catch (error) {
            return false;
        }
    }
    
    static async verifyGoogleToken(token) {
        try {
            // Verify token with Google
            const response = await axios.get(
                `https://www.googleapis.com/oauth2/v1/tokeninfo?access_token=${token}`,
                { timeout: 5000 }
            );
            
            const tokenInfo = response.data;
            
            // Verify audience (client ID)
            if (tokenInfo.audience !== process.env.GOOGLE_CLIENT_ID) {
                throw new Error('Token audience mismatch');
            }
            
            // Verify expiration
            if (parseInt(tokenInfo.expires_in) <= 0) {
                throw new Error('Token has expired');
            }
            
            return tokenInfo;
        } catch (error) {
            throw new Error(`Token verification failed: ${error.message}`);
        }
    }
}

// Secure OAuth initiation
app.get('/auth/google', async (req, res) => {
    try {
        const state = SecureOAuthHandler.generateSecureState();
        const nonce = crypto.randomBytes(16).toString('hex');
        
        // Store state with metadata
        await SecureOAuthHandler.storeOAuthState(state, {
            timestamp: Date.now(),
            ip: req.ip,
            userAgent: req.get('User-Agent'),
            nonce
        });
        
        const redirectUri = process.env.OAUTH_REDIRECT_URI;
        
        const googleAuthUrl = 'https://accounts.google.com/o/oauth2/auth' +
            `?client_id=${encodeURIComponent(process.env.GOOGLE_CLIENT_ID)}` +
            `&redirect_uri=${encodeURIComponent(redirectUri)}` +
            `&scope=${encodeURIComponent('openid email profile')}` +
            '&response_type=code' +
            `&state=${encodeURIComponent(state)}` +
            `&nonce=${encodeURIComponent(nonce)}`;
        
        res.redirect(googleAuthUrl);
        
    } catch (error) {
        console.error('OAuth initiation error:', error);
        res.status(500).json({ error: 'Authentication initiation failed' });
    }
});

// Secure OAuth callback
app.get('/auth/google/callback', async (req, res) => {
    const { code, state, error } = req.query;
    
    try {
        // Check for OAuth errors
        if (error) {
            throw new Error(`OAuth error: ${error}`);
        }
        
        if (!code || !state) {
            throw new Error('Missing authorization code or state');
        }
        
        // Validate and consume state
        const stateData = await SecureOAuthHandler.validateAndConsumeState(state);
        
        // Additional security checks
        if (Date.now() - stateData.timestamp > 600000) { // 10 minutes
            throw new Error('OAuth flow expired');
        }
        
        // Verify redirect URI
        const allowedRedirectUris = [process.env.OAUTH_REDIRECT_URI];
        if (!SecureOAuthHandler.validateRedirectUri(req.originalUrl.split('?')[0], allowedRedirectUris)) {
            throw new Error('Invalid redirect URI');
        }
        
        // Exchange code for tokens
        const tokenResponse = await axios.post('https://oauth2.googleapis.com/token', {
            client_id: process.env.GOOGLE_CLIENT_ID,
            client_secret: process.env.GOOGLE_CLIENT_SECRET,
            code: code,
            grant_type: 'authorization_code',
            redirect_uri: process.env.OAUTH_REDIRECT_URI
        }, {
            headers: {
                'Content-Type': 'application/x-www-form-urlencoded'
            },
            timeout: 10000
        });
        
        const { access_token, id_token } = tokenResponse.data;
        
        // Verify ID token
        const idTokenPayload = jwt.decode(id_token);
        if (!idTokenPayload || idTokenPayload.nonce !== stateData.nonce) {
            throw new Error('ID token validation failed');
        }
        
        // Verify access token
        await SecureOAuthHandler.verifyGoogleToken(access_token);
        
        // Get user info
        const userResponse = await axios.get('https://www.googleapis.com/oauth2/v2/userinfo', {
            headers: { Authorization: `Bearer ${access_token}` },
            timeout: 5000
        });
        
        const userInfo = userResponse.data;
        
        // Verify email is verified
        if (!userInfo.verified_email) {
            throw new Error('Email not verified with provider');
        }
        
        // Find or create user with additional verification
        let user = await User.findOne({ 
            email: userInfo.email,
            provider: 'google'
        });
        
        if (!user) {
            // Create new user with verification requirement
            user = await User.create({
                email: userInfo.email,
                name: userInfo.name,
                provider: 'google',
                providerId: userInfo.id,
                isEmailVerified: true,
                isActive: true,
                createdAt: new Date()
            });
            
            // Log new user creation
            console.info('New OAuth user created:', {
                userId: user.id,
                email: userInfo.email,
                provider: 'google',
                ip: req.ip
            });
        } else {
            // Update last login
            user.lastLogin = new Date();
            await user.save();
        }
        
        // Create secure session
        await SecureSessionManager.createSession(req, user);
        
        res.redirect('/dashboard?auth=success');
        
    } catch (error) {
        console.error('OAuth callback error:', {
            error: error.message,
            ip: req.ip,
            userAgent: req.get('User-Agent'),
            timestamp: new Date().toISOString()
        });
        
        res.redirect('/login?error=oauth_failed');
    }
});

Detect This Vulnerability in Your Code

Sourcery automatically identifies api authentication bypass through parameter manipulation and logic flaws and many other security issues in your codebase.

Scan Your Code for Free Explore More Vulnerabilities