JWT pitfalls: break and harden an auth flow

Build a JWT-protected API with login, an authenticated /admin route, and refresh, then run an attack suite (alg:none, algorithm confusion, missing aud, attacker kid) — first proving each exploit succeeds against the naive version, then proving it fails after hardening.

• Build a small API with a /login endpoint that issues an RS256 access token plus a refresh token, and an /admin route gated on a role:admin claim. Use any stack (Node, Go, Python) with a real JWT library.
• Stand up a JWKS endpoint serving the RSA public key, so the public key is genuinely published the way it would be in production.
• Write an attack script that forges four tokens: (a) an alg:none token with role:admin and an empty signature; (b) an HS256 token signed with the public key as the HMAC secret; (c) a valid token minted for a different audience; (d) a token whose kid/jku points at an attacker-hosted key set.
• Run the attack suite against a deliberately naive verifier (jwt.decode or verify with no options) and capture the responses showing each forged token reaching /admin.
• Harden the verifier: pin an explicit algorithm allowlist, bind each key to one algorithm, validate exp/nbf/iss/aud against expected values, and resolve kid only against a server-side pinned key allowlist (ignore jku).
• Set a short access-token TTL (5–15 min) and implement refresh-token rotation with reuse detection that revokes the token family when an already-rotated refresh token is replayed.
• Decide and implement token storage for a SPA client: access token in memory, refresh token in an httpOnly + Secure + SameSite cookie; document the attack each placement defends against.

• A before/after table for the four exploits: each one reaches /admin (or refresh) against the naive verifier and is rejected with a clear error against the hardened verifier — shown by actual request/response output, not described.
• The hardened verifier rejects a wrong-aud token even when its signature is valid, and rejects an attacker-kid token without ever fetching from the header-named URL.
• Replaying a rotated refresh token triggers family revocation: the legitimate session's next refresh also fails, proving reuse detection fired (demonstrated against the running service).
• A one-paragraph write-up mapping each defense (algorithm pin, key binding, claim checks, kid allowlist, rotation, storage) to the specific exploit it closes and the RFC 8725 guidance behind it.