Api Key Exposure in Adonisjs with Cockroachdb

AdonisJS, a Node.js web framework, often manages external service credentials through environment variables and configuration files. When integrating with CockroachDB, a common pattern is to store the database connection string, including any username, password, or host details, in an .env file or via process environment variables. If these environment variables are inadvertently exposed—such as through client-side JavaScript bundles, server-side error messages that leak configuration, or misconfigured logging—the API key or database credentials can become accessible to unauthorized parties.

In a typical AdonisJS application using the @adonisjs/lucid package for ORM, the database.ts configuration reads these variables at runtime. A standard configuration might look like:

// config/database.ts
import { Env } from '@ioc:Adonis/Core/Env'

export default {
  connection: 'cockroachdb',
  connections: {
    cockroachdb: {
      client: 'cockroachdb',
      connection: {
        host: Env.get('DB_HOST', 'localhost'),
        port: Env.get('DB_PORT', 26257),
        user: Env.get('DB_USER', 'root'),
        password: Env.get('DB_PASSWORD', ''),
        database: Env.get('DB_NAME', 'postgres'),
        ssl: Env.get('DB_SSL', 'false') !== 'false'
      },
      debug: false
    }
  }
}

If the application is deployed in an environment where environment variables are not strictly controlled—such as shared development containers, improperly restricted CI/CD logs, or verbose error handling middleware—the values of DB_PASSWORD or the full connection string may be exposed. For example, a stack trace or debug page might inadvertently include the configuration object during an unhandled exception, revealing the password used to connect to CockroachDB.

Additionally, if the application serves static assets or API documentation from the server without proper isolation, a misconfigured route could expose configuration files that contain these variables. An attacker who gains access to an API endpoint that reflects server configuration or debug data might extract the database credentials, which effectively act as an API key for the CockroachDB instance. This exposure can lead to unauthorized data access, data manipulation, or further lateral movement within backend systems.

The risk is compounded when applications use centralized configuration services or logging mechanisms that capture environment variables for debugging. Without proper sanitization, these logs can become a persistent record of sensitive credentials. Since CockroachDB connections often have broad privileges within a cluster, exposed credentials can compromise not just a single dataset but multiple tenant databases hosted on the same cluster.

To mitigate API key exposure when using CockroachDB with AdonisJS, focus on strict environment variable handling, secure configuration patterns, and runtime protection. The primary goal is to ensure that sensitive values such as database passwords are never serialized into client-side contexts or logged unintentionally.

First, validate and sanitize environment variables at application bootstrap. Use AdonisJS's Env provider to enforce required variables and prevent undefined values from causing runtime errors that might trigger verbose error messages:

// start/app.ts
import { Application } from '@ioc:Adonis/Core/Application'
import Env from '@ioc:Adonis/Core/Env'

// Ensure required variables are present
if (!Env.get('DB_HOST') || !Env.get('DB_USER') || !Env.get('DB_PASSWORD')) {
  throw new Error('Missing required database environment variables')
}

Application.ready()

Second, avoid logging sensitive configuration. When using @ioc:Adonis/Core/Logger, ensure that debug outputs exclude the password field. For example, customize the database connection logging to mask credentials:

// providers/AppProvider.ts
import { DatabaseProvider } from '@ioc:Adonis/Addons/Lucid'
import Logger from '@ioc:Adonis/Core/Logger'

export default class AppProvider {
  public async register() {
    this.container.singleton('Database', async () => {
      const db = new DatabaseProvider(this.app)
      const originalConnect = db['connect'].bind(db)
      db['connect'] = async function () {
        Logger.debug('Establishing CockroachDB connection with masked credentials')
        // Mask password in any debug output
        const config = this.config
        if (config.password) {
          Logger.info(`Connecting to ${config.host}:${config.port} as ${config.user}@${config.database}`)
        }
        return originalConnect()
      }
      return db
    })
  }
}

Third, structure your CockroachDB connection to use secure SSL settings and avoid default or weak configurations. Explicitly enforce TLS and prefer certificate-based authentication where possible:

// config/database.ts
import { Env } from '@ioc:Adonis/Core/Env'

export default {
  connection: 'cockroachdb',
  connections: {
    cockroachdb: {
      client: 'cockroachdb',
      connection: {
        host: Env.get('DB_HOST', 'localhost'),
        port: parseInt(Env.get('DB_PORT', '26257')),
        user: Env.get('DB_USER', 'root'),
        password: Env.get('DB_PASSWORD', ''),
        database: Env.get('DB_NAME', 'postgres'),
        ssl: {
          rejectUnauthorized: true,
          ca: Env.get('DB_SSL_CA', ''),
          key: Env.get('DB_SSL_KEY', ''),
          cert: Env.get('DB_SSL_CERT', '')
        }
      },
      debug: false
    }
  }
}

Finally, integrate middleBrick into your workflow to continuously scan for exposed configuration patterns. By using the CLI tool middlebrick scan <url>, you can validate that your API endpoints do not leak sensitive variables in responses or error messages. For teams using modern deployment pipelines, the GitHub Action can enforce security gates by failing builds when risky patterns are detected, while the MCP Server allows developers to scan APIs directly from their IDE during local development.