Auth Bypass in Fiber with Basic Auth
Auth Bypass in Fiber with Basic Auth — how this specific combination creates or exposes the vulnerability
Basic Auth in Fiber can lead to an auth bypass when the server incorrectly validates credentials or when the transport lacks encryption. In a typical setup, credentials are sent in an Authorization header as base64-encoded username:password. If Fiber routes are not properly scoped to require authentication for protected endpoints, an attacker may reach sensitive handlers without satisfying the check. This can occur when middleware is applied selectively, when route groups are omitted, or when a default handler allows access due to missing role checks.
Because Basic Auth does not encrypt the credentials in transit, passive network observers can recover the token. If the server relies solely on this transport obscurity and does not enforce TLS, credentials can be captured and reused. Additionally, if the server decodes the header and uses the decoded values in an unsafe way—such as string comparison for the username or weak hashing for the password—an attacker may bypass validation via encoding tricks or credential collision.
In black-box scans, these patterns are detectable through unauthenticated endpoint probing and header manipulation. middleBrick’s Authentication check flags cases where endpoints do not enforce credentials and where Basic Auth is used without mandatory transport encryption. The LLM/AI Security checks further highlight risks if an unauthenticated endpoint exposes model-related behavior, increasing the likelihood of unintended data exposure. The framework mappings include OWASP API Top 10:2023 — Broken Object Level Authorization (BOLA) and Security Misconfiguration, as well as PCI-DSS requirements around credential transmission.
An example of a vulnerable Fiber route without proper middleware enforcement:
// Vulnerable: no auth guard on sensitive route
const fib = require('fastify')();
fib.get('/health', async (request, reply) => {
return { status: 'ok' };
});
fib.get('/admin/users', async (request, reply) => {
// No check that request.user is authenticated
return { users: [] };
});
fib.listen({ port: 3000 }, (err, address) => {
if (err) {
console.error(err);
process.exit(1);
}
console.log(`Server listening at ${address}`);
});
An attacker can call /admin/users without credentials if the route lacks a pre-handler that verifies a valid Authorization header. Even when Basic Auth is used elsewhere, inconsistent middleware application creates a bypass path.
Basic Auth-Specific Remediation in Fiber — concrete code fixes
Remediation centers on consistent middleware application, strict credential validation, and enforced transport security. Always apply auth middleware to protected routes and groups, avoid relying on route omission for security, and prefer hashed credentials over plaintext comparison.
Use HTTPS to protect the base64-encoded credentials in transit. Implement a pre-handler that extracts the Authorization header, decodes the credentials, and validates them against a securely stored hash. Enforce the same middleware across all sensitive endpoints to prevent selective bypass.
Secure Fiber example with Basic Auth middleware and HTTPS enforcement:
const fastify = require('fastify')({ https: { key: fs.readFileSync('key.pem'), cert: fs.readFileSync('cert.pem') } });
const basicAuth = require('fastify-basic-auth');
const bcrypt = require('bcrypt');
// Configure auth with a verify callback that compares hashed passwords
fastify.register(basicAuth, {
authenticate: async (username, password, done) => {
const user = await getUserFromDatabase(username);
if (!user) {
return done(null, false);
}
const match = await bcrypt.compare(password, user.passwordHash);
if (!match) {
return done(null, false);
}
return done(null, { username: user.username, role: user.role });
}
});
// Apply globally to ensure no route is accidentally unguarded
fastify.addHook('preHandler', fastify.authenticate);
fastify.get('/health', async (request, reply) => {
return { status: 'ok' };
});
fastify.get('/admin/users', async (request, reply) => {
// request.user is set only if authenticate succeeded
return { users: [] };
});
fastify.listen({ port: 3000 }, (err, address) => {
if (err) {
console.error(err);
process.exit(1);
}
console.log(`Server listening at ${address}`);
});
Additional checks include validating that usernames are compared in a constant-time manner and that passwords are hashed with a strong adaptive function such as bcrypt. The Pro plan from middleBrick supports continuous monitoring to ensure that new routes retain auth requirements and that TLS remains enforced. Use the CLI (middlebrick scan <url>) to verify that endpoints are not exposed and to receive prioritized remediation guidance mapped to compliance frameworks.
When integrating into CI/CD, the GitHub Action can fail builds if the security score drops below your configured threshold, preventing deployments with weak auth patterns. The MCP Server allows you to scan APIs directly from your AI coding assistant, catching insecure route definitions before they reach production.
Related CWEs: authentication
| CWE ID | Name | Severity |
|---|---|---|
| CWE-287 | Improper Authentication | CRITICAL |
| CWE-306 | Missing Authentication for Critical Function | CRITICAL |
| CWE-307 | Brute Force | HIGH |
| CWE-308 | Single-Factor Authentication | MEDIUM |
| CWE-309 | Use of Password System for Primary Authentication | MEDIUM |
| CWE-347 | Improper Verification of Cryptographic Signature | HIGH |
| CWE-384 | Session Fixation | HIGH |
| CWE-521 | Weak Password Requirements | MEDIUM |
| CWE-613 | Insufficient Session Expiration | MEDIUM |
| CWE-640 | Weak Password Recovery | HIGH |