An object attribute constructed from a user-provided input should be considered unsafe to be passed in a method, since it can pass sensitive information.
1var express = require('express')
2var loginController = express.Router()
3var jwt = require("jsonwebtoken")
4function insufficientlyProtectedCredentialsNoncompliant() {
5 loginController.post('/', async (req, res, next) => {
6 var email = req.body.email
7 // Noncompliant: JWT is not signed with a strong cipher algorithm.
8 var token = jwt.sign(email, process.env.JWT_SECRET, { algorithm: 'none' })
9 return token
10 })
11}
1var express = require('express')
2var loginController = express.Router()
3var jwt = require("jsonwebtoken")
4function insufficientlyProtectedCredentialsCompliant() {
5 loginController.post('/', async (req, res, next) => {
6 var email = req.body.email
7 // Compliant: JWT is signed with a strong cipher algorithm.
8 var token = jwt.sign(email, process.env.JWT_SECRET, { algorithm: 'RS256' })
9 return token
10 })
11}