fix(security): explicit JWT algorithm; body size limit

conorluddy · claude · conorluddy · commit f39aa3e5c5d2 · 2026-02-28T15:11:49.000Z
Restrict JWT sign/verify to HS256 explicitly — prevents algorithm
confusion attacks if the library ever changes its default or an attacker
crafts a token with alg:none.

Add express.json({ limit: '10kb' }) to make the default body size limit
explicit and prevent oversized payload abuse.

Co-Authored-By: Claude Sonnet 4.6 &lt;noreply@anthropic.com&gt;
diff --git a/.github/type-coverage.json b/.github/type-coverage.json
@@ -2,8 +2,8 @@
   "succeeded": true,
   "atLeast": 90,
   "atLeastFailed": false,
-  "correctCount": 6491,
+  "correctCount": 6494,
   "percent": 98.54,
   "percentString": "98.54",
-  "totalCount": 6587
+  "totalCount": 6590
 }
diff --git a/package-lock.json b/package-lock.json
diff --git a/package.json b/package.json
@@ -1,6 +1,6 @@
 {
   "name": "residents",
-  "version": "0.3.8",
+  "version": "0.3.9",
   "author": "Conor Luddy <conorluddy@gmail.com>",
   "license": "MIT",
   "description": "Residents is a Node.js Express back-end foundation designed for bootstrapping new projects quickly and efficiently. Its main goal is to set up a robust infrastructure for user management, because users are the core of any application. These users are your Residents. It leverages a robust stack including Postgres, Drizzle ORM, JWT, PassportJS, Docker and Swagger to streamline development and deployment processes.",
diff --git a/src/index.ts b/src/index.ts
@@ -42,7 +42,7 @@ if (process.env.NODE_ENV === 'development') {
 app.disable('x-powered-by')
 app.use(helmet())
 app.use(rateLimiter)
-app.use(express.json())
+app.use(express.json({ limit: '10kb' }))
 
 // Health check
 app.get('/health', (_req, res) => {
diff --git a/src/middleware/auth/jsonWebTokens.ts b/src/middleware/auth/jsonWebTokens.ts
@@ -20,7 +20,7 @@ export const authenticateToken = (req: ResidentRequest, _res: Response<ResidentR
     throw new InternalServerError(MESSAGES.JWT_SECRET_NOT_DEFINED)
   }
 
-  jwt.verify(token, secret, (err, user) => {
+  jwt.verify(token, secret, { algorithms: ['HS256'] }, (err, user) => {
     if (err) {
       throw new UnauthorizedError(MESSAGES.TOKEN_INVALID)
     }
diff --git a/src/utils/generateJwt.ts b/src/utils/generateJwt.ts
@@ -12,6 +12,7 @@ export const generateJwtFromUser = (user: User | SafeUser | PublicUser, expiryOv
     throw new Error(MESSAGES.JWT_SECRET_NOT_FOUND)
   }
   return jwt.sign(userToPublicUser(user), JWT_TOKEN_SECRET, {
+    algorithm: 'HS256',
     expiresIn: (expiryOverride ?? EXPIRATION_JWT_TOKEN ?? DEFAULT_EXPIRATION) as StringValue,
   })
 }

Original file line number	Diff line number	Diff line change
`@@ -1,6 +1,6 @@`
`1`	`1`	`{`
`2`	`2`	`"name": "residents",`
`3`		`- "version": "0.3.8",`
	`3`	`+ "version": "0.3.9",`
`4`	`4`	`"author": "Conor Luddy <conorluddy@gmail.com>",`
`5`	`5`	`"license": "MIT",`
`6`	`6`	`"description": "Residents is a Node.js Express back-end foundation designed for bootstrapping new projects quickly and efficiently. Its main goal is to set up a robust infrastructure for user management, because users are the core of any application. These users are your Residents. It leverages a robust stack including Postgres, Drizzle ORM, JWT, PassportJS, Docker and Swagger to streamline development and deployment processes.",`
Original file line number	Diff line number	Diff line change
`@@ -20,7 +20,7 @@ export const authenticateToken = (req: ResidentRequest, _res: Response<ResidentR`
`20`	`20`	`throw new InternalServerError(MESSAGES.JWT_SECRET_NOT_DEFINED)`
`21`	`21`	`}`
`22`	`22`
`23`		`- jwt.verify(token, secret, (err, user) => {`
	`23`	`+ jwt.verify(token, secret, { algorithms: ['HS256'] }, (err, user) => {`
`24`	`24`	`if (err) {`
`25`	`25`	`throw new UnauthorizedError(MESSAGES.TOKEN_INVALID)`
`26`	`26`	`}`
Original file line number	Diff line number	Diff line change
`@@ -12,6 +12,7 @@ export const generateJwtFromUser = (user: User \| SafeUser \| PublicUser, expiryOv`
`12`	`12`	`throw new Error(MESSAGES.JWT_SECRET_NOT_FOUND)`
`13`	`13`	`}`
`14`	`14`	`return jwt.sign(userToPublicUser(user), JWT_TOKEN_SECRET, {`
	`15`	`+ algorithm: 'HS256',`
`15`	`16`	`expiresIn: (expiryOverride ?? EXPIRATION_JWT_TOKEN ?? DEFAULT_EXPIRATION) as StringValue,`
`16`	`17`	`})`
`17`	`18`	`}`