Api Rate Abuse in Adonisjs with Cockroachdb
Api Rate Abuse in Adonisjs with Cockroachdb — how this specific combination creates or exposes the vulnerability
AdonisJS, a Node.js web framework, often uses database transactions and connection pools to interact with CockroachDB, a distributed SQL database designed for resilience and consistency. When rate limiting is misconfigured or omitted, an attacker can open many concurrent database transactions or queries that stress CockroachDB’s serializable isolation and distributed transaction layers. Unlike single-node databases, CockroachDB coordinates writes across multiple nodes; unthrottled request bursts can cause increased contention on distributed locks, higher abort rates for serializable transactions, and elevated latency that compounds application-level DoS risk.
Abuse scenarios specific to this stack include:
- Bursts of unauthenticated API calls that each open a CockroachDB transaction, increasing transaction aborts and wasted compute. For example, a POST /register endpoint without rate limits can be hammered to create many conflicting rows or retries, driving up aborts under serializable isolation.
- Endpoints that perform iterative reads/writes (e.g., inventory decrement) without idempotency or locking strategies, causing write skew anomalies that CockroachDB’s snapshot isolation may not prevent if application logic is flawed.
- Unbounded or missing per-client rate limits enabling rapid consumption of operations that involve multi-statement transactions, where partial failure leaves retries that amplify load on the cluster.
Because middleBrick scans the unauthenticated attack surface, it checks whether the API enforces rate limits around database-impacting actions and flags missing or weak controls. Without explicit limits, an attacker can trigger repeated executions of costly queries or transactions, exposing higher abort rates and potential latency spikes that indicate contention. The scan also validates that inputs to CockroachDB interactions are properly validated to avoid injection that could compound abuse by forcing heavy queries or transaction loops.
In practice, a vulnerable AdonisJS route might open a transaction on every request, with no guard against rapid invocation:
const trx = await Database.transaction();
try {
await User.create({ username: request.input('username'), balance: 0 }, trx);
await Account.create({ userId: user.id, amount: 0 }, trx);
await trx.commit();
} catch (error) {
await trx.rollback();
throw error;
}
If this route has no per-identifier or global rate limit, a flood of requests can saturate the transaction pipeline, increase CockroachDB transaction aborts, and degrade performance. middleBrick’s checks highlight missing rate limiting around high-cost endpoints and suggest adding controls that throttle requests before they initiate distributed transactions.
Cockroachdb-Specific Remediation in Adonisjs — concrete code fixes
Remediation focuses on applying rate limits early, making transactions idempotent, and reducing contention in CockroachDB. Use AdonisJS middleware or route-level guards to enforce per-user and global limits, and design database interactions to minimize long-lived transactions and retries.
Rate limiting middleware in AdonisJS
Leverage AdonisJS middleware to enforce limits before requests reach route handlers or database code:
// start/kernel.ts
import { middleware } from '@adonisjs/core';
import { RateLimiterRedis } from 'rate-limiter-flexible';
import { Redis } from '@upstash/redis';
const redisClient = new Redis({ url: process.env.UPSTASH_REDIS_URL, token: process.env.UPSTASH_REDIS_TOKEN });
const rateLimiter = new RateLimiterRedis({
storeClient: redisClient,
keyPrefix: 'middlebrick_rl',
points: 100, // 100 requests
duration: 60, // per 60 seconds
blockDuration: 60, // block for 60 seconds when exceeded
});
export const rateLimiter = middleware(async (ctx, next) => {
try {
await rateLimiter.consume(ctx.request.ip);
await next();
} catch {
ctx.response.status(429).send({ error: 'Too many requests' });
}
});
Apply this middleware to sensitive routes or globally in starter.ts to reduce load on CockroachDB:
// start/routes.ts
import Route from '@ioc:Adonis/Core/Route';
import { rateLimiter } from 'App/Middleware/rateLimiter';
Route.group(() => {
Route.post('/register', 'UserController.register').middleware([rateLimiter]);
Route.post('/transfer', 'AccountController.transfer').middleware([rateLimiter]);
}).prefix('api/v1');
Idempotent transactions and retry budgets with CockroachDB
Design transactions to be safe under retries and use short, targeted operations to reduce lock contention:
import { DateTime } from 'luxon';
import User from 'App/Models/User';
import Account from 'App/Models/Account';
export default class AccountController {
public async transfer({ request, response }: HttpContextContract) {
const { fromId, toId, amount } = request.only(['fromId', 'toId', 'amount']);
const txId = `${fromId}:${toId}:${DateTime.local().toISO()}`;
// Use a unique constraint or idempotency key to avoid duplicate processing
const existing = await Transaction.query().where('tx_id', txId).first();
if (existing) {
return response.conflict({ error: 'Duplicate request' });
}
const trx = await Database.transaction();
try {
const fromAcc = await Account.query().where('user_id', fromId).forUpdate(trx).firstOrFail();
if (fromAcc.balance < amount) {
throw new Error('Insufficient funds');
}
fromAcc.balance -= amount;
await fromAcc.save(trx);
const toAcc = await Account.query().where('user_id', toId).forUpdate(trx).firstOrFail();
toAcc.balance += amount;
await toAcc.save(trx);
await Transaction.create({ tx_id: txId, from_id: fromId, to_id: toId, amount }, trx);
await trx.commit();
} catch (error) {
await trx.rollback();
if (error.name === 'SequelizeUniqueConstraintError') {
return response.conflict({ error: 'Duplicate or conflicting request' });
}
throw error;
}
}
}
Notes:
forUpdate(trx)places row-level locks within the transaction to reduce write skew, important under high concurrency on CockroachDB.- An idempotency key (tx_id) prevents duplicate processing when clients retry, which otherwise can amplify load on the cluster.
- Short transactions and targeted queries reduce the window for contention and abort retries.
Schema and index considerations
Ensure CockroachDB tables have appropriate indexes to make point lookups and row locks efficient:
-- Example index to support the forUpdate lookup by user_id
CREATE INDEX IF NOT EXISTS idx_accounts_user_id ON accounts (user_id);
By combining middleware rate limiting, idempotent transaction design, and proper database indexing, the AdonisJS + CockroachDB stack can better withstand abusive request patterns while maintaining consistency and low abort rates.