Auth Bypass in Adonisjs with Mongodb
Auth Bypass in Adonisjs with Mongodb — how this specific combination creates or exposes the vulnerability
When AdonisJS is used with MongoDB as the primary datastore, authentication bypass risks often arise from how application code maps HTTP requests to MongoDB queries and how guards/session logic are configured. A common pattern is to retrieve a user document from MongoDB using an identifier (e.g., username or email) and then rely on a local session or token check without re-verifying the authentication state for each sensitive route.
BOLA/IDOR issues can intersect with weak route-level guards: if a route uses a user-supplied id to fetch a MongoDB document via User.findById(id) or an equivalent query, and does not enforce that the requesting user owns that document, an attacker can change the ID to access another user’s data. In AdonisJS, this often occurs when controller methods directly use request params to build MongoDB queries without scoping to the authenticated user’s tenant or record.
Another bypass scenario involves misconfigured or missing guard checks on routes that should be protected. For example, a route may rely on session-based auth but also expose an API endpoint that accepts a JSON Web Token; if the JWT verification logic is not consistently applied or if the token payload is not validated against the MongoDB user document (e.g., checking isActive or role fields), an attacker can present a forged or unsigned token and gain unauthorized access. Additionally, if the application uses role/permission fields stored in MongoDB but does not re-check those fields on each request, privilege escalation can occur when an attacker modifies their claims or session data.
SSRF and unsafe consumption can indirectly enable auth bypass when an attacker can coerce the backend to make requests to internal MongoDB endpoints or configuration services, potentially retrieving connection strings or metadata that help them craft malicious queries. Input validation flaws around the user identifier (e.g., accepting malformed ObjectId strings or failing to sanitize query parameters) can lead to unexpected query behavior, allowing an attacker to bypass intended filters and retrieve or modify other users’ records.
Because middleBoot scans the unauthenticated attack surface and tests inputs and endpoints in parallel across checks such as Authentication, BOLA/IDOR, and Input Validation, it can surface these risky patterns by correlating OpenAPI/Swagger definitions (with full $ref resolution) against runtime behavior, including how MongoDB queries are constructed from user-controlled data.
Mongodb-Specific Remediation in Adonisjs — concrete code fixes
Remediation centers on scoping MongoDB queries to the authenticated user, validating and normalizing identifiers, and ensuring guards are consistently enforced. Below are concrete patterns and code examples using the MongoDB driver for Node.js within an AdonisJS controller.
1. Scope queries to the authenticated user
Never trust incoming IDs alone. Combine the authenticated user’s ID with the requested resource ID, or fetch by a user-owned field (e.g., username) instead of a raw user-supplied ObjectId.
// Good: scope by authenticated user id
const userId = auth.user.id; // from the session or token payload
const targetId = request.param('id');
const user = await User.collection.findOne({
_id: userId,
'accounts.id': targetId // example for nested references
});
if (!user) {
throw new Error('Not found');
}
2. Use normalized identifiers and strict validation
Validate ObjectId formats before using them in queries to avoid unexpected matches or injection-like behavior.
import { ObjectId } from 'mongodb';
function safeObjectId(value) {
if (!ObjectId.isValid(value)) {
throw new Error('Invalid ObjectId');
}
return new ObjectId(value);
}
// Usage in a controller
const id = safeObjectId(request.param('id'));
const document = await User.collection.findOne({ _id: id });
3. Enforce role/permission checks against MongoDB-stored attributes
Do not rely solely on session flags; re-check role or permission fields stored in the user document for sensitive operations.
const user = await User.collection.findOne({ _id: auth.user.id });
if (!user || user.role !== 'admin') {
throw new Error('Insufficient permissions');
}
4. Avoid exposing internal IDs in URLs
Use slugs or usernames instead of raw MongoDB _id in routes, and map them safely on the server.
// Route pattern: /users/:username
const user = await User.collection.findOne({ username: request.param('username') });
if (!user) {
throw new Error('Not found');
}
5. Apply consistent authentication guards
Whether you use session cookies or tokens, ensure route handlers validate authentication and that the MongoDB user document matches the token/session claims.
// Example token verification and user fetch
const token = request.header('authorization')?.replace('Bearer ', '');
if (!token) {
throw new Error('Unauthorized');
}
const payload = verifyToken(token); // your JWT verify function
const user = await User.collection.findOne({ _id: payload.sub, isActive: true });
if (!user) {
throw new Error('Invalid token');
}
6. Limit query results and sanitize outputs
Project only necessary fields and avoid returning sensitive data that could aid an attacker in further bypass attempts.
const safeUser = await User.collection.findOne(
{ _id: auth.user.id },
{ projection: { username: 1, email: 1, role: 1 } }
);
Related CWEs: authentication
| CWE ID | Name | Severity |
|---|---|---|
| CWE-287 | Improper Authentication | CRITICAL |
| CWE-306 | Missing Authentication for Critical Function | CRITICAL |
| CWE-307 | Brute Force | HIGH |
| CWE-308 | Single-Factor Authentication | MEDIUM |
| CWE-309 | Use of Password System for Primary Authentication | MEDIUM |
| CWE-347 | Improper Verification of Cryptographic Signature | HIGH |
| CWE-384 | Session Fixation | HIGH |
| CWE-521 | Weak Password Requirements | MEDIUM |
| CWE-613 | Insufficient Session Expiration | MEDIUM |
| CWE-640 | Weak Password Recovery | HIGH |