Insufficient Logging with Bearer Tokens
How Insufficient Logging Manifests in Bearer Tokens
Insufficient logging in Bearer Token implementations creates critical blind spots for security teams. When authentication failures, token expirations, or suspicious usage patterns aren't logged, attackers can exploit these gaps without detection. The most common manifestation occurs when Bearer Token middleware silently fails without recording the incident.
// Vulnerable: No logging on authentication failure
app.use('/api', authenticateBearerToken, (req, res) => {
// If token is invalid, middleware returns 401 but doesn't log
res.json({ data: 'protected resource' });
});
This pattern allows attackers to brute-force token validation without any audit trail. Another critical gap appears in token rotation scenarios where refresh token usage isn't logged:
// Missing logging on refresh token usage
const refresh = async (req, res) => {
const { refreshToken } = req.body;
const user = await db.users.findOne({ refreshToken });
if (!user) return res.status(401).json({ error: 'Invalid refresh token' });
// No logging of which refresh token was used or when
const newTokens = generateTokens(user);
res.json(newTokens);
};
Token revocation is another area where insufficient logging creates vulnerabilities. When administrators revoke tokens but the system doesn't log these actions, compromised tokens can remain active without anyone knowing:
// No audit trail for token revocation
app.post('/admin/revoke', adminOnly, async (req, res) => {
const { tokenId } = req.body;
await db.tokens.updateOne({ _id: tokenId }, { revoked: true });
// Missing: log who revoked, when, and why
res.json({ success: true });
});
Rate limiting violations for Bearer Token endpoints often go unlogged, allowing attackers to test token validity at scale without triggering alerts. The absence of logging for token metadata (IP address, user agent, device fingerprint) prevents correlation of suspicious activity across multiple endpoints.
Bearer Tokens-Specific Detection
Detecting insufficient logging in Bearer Token implementations requires examining both code and runtime behavior. Static analysis should identify middleware that handles authentication without logging mechanisms. Look for patterns where 401 responses are returned without corresponding log entries:
# Check for missing logging in authentication middleware
grep -r "401\|unauthorized" routes/ | grep -v "console\.log\|logger\|debug"
Runtime detection involves monitoring authentication endpoints for anomalous behavior. A properly logged system should show:
{
"timestamp": "2024-01-15T10:30:00Z",
"level": "WARN",
"category": "authentication",
"message": "Invalid Bearer token from IP: 192.168.1.100",
"token_prefix": "eyJhbGci",
"user_agent": "Mozilla/5.0",
"endpoint": "/api/sensitive-data",
"attempt_count": 5
}
middleBrick's black-box scanning approach detects insufficient logging by testing authentication endpoints with invalid tokens and analyzing responses. The scanner verifies whether authentication failures produce appropriate status codes without exposing sensitive information, then checks if these failures would be logged in a production environment.
Key indicators of insufficient logging include:
- Silent failures when invalid tokens are presented
- No correlation between authentication attempts and user activity
- Missing logs for token expiration events
- No audit trail for token generation and revocation
- Absence of rate limiting violation logs
middleBrick's API security scanning specifically tests Bearer Token endpoints by submitting malformed tokens, expired tokens, and tokens with insufficient scopes, then analyzing whether the system provides appropriate feedback without revealing implementation details.
Bearer Tokens-Specific Remediation
Implementing comprehensive logging for Bearer Token systems requires structured approaches that balance security with operational needs. Start with a centralized logging middleware that captures all authentication events:
// Centralized authentication logging middleware
const authLogger = (req, res, next) => {
const start = Date.now();
const originalSend = res.send;
res.send = function(data) {
const duration = Date.now() - start;
const logData = {
timestamp: new Date().toISOString(),
ip: req.ip,
user_agent: req.get('User-Agent'),
endpoint: req.originalUrl,
method: req.method,
status: res.statusCode,
duration_ms: duration,
token_valid: req.user !== undefined
};
// Log all authentication attempts
if (req.headers.authorization) {
logData.token_prefix = req.headers.authorization.split(' ')[1]?.substring(0, 10);
}
console.log(JSON.stringify(logData));
originalSend.call(this, data);
};
next();
};
For token-specific events, implement detailed logging around token lifecycle operations:
// Enhanced token validation with comprehensive logging
const validateBearerToken = async (req, res, next) => {
const authHeader = req.headers.authorization;
if (!authHeader || !authHeader.startsWith('Bearer ')) {
console.warn({
event: 'missing_bearer_token',
ip: req.ip,
user_agent: req.get('User-Agent'),
endpoint: req.originalUrl,
timestamp: new Date().toISOString()
});
return res.status(401).json({ error: 'Missing Bearer token' });
}
try {
const token = authHeader.split(' ')[1];
const decoded = jwt.verify(token, process.env.JWT_SECRET);
console.info({
event: 'token_validated',
user_id: decoded.sub,
token_id: decoded.jti,
ip: req.ip,
user_agent: req.get('User-Agent'),
endpoint: req.originalUrl,
timestamp: new Date().toISOString()
});
req.user = decoded;
next();
} catch (error) {
console.error({
event: 'token_validation_failed',
error_type: error.name,
ip: req.ip,
user_agent: req.get('User-Agent'),
endpoint: req.originalUrl,
timestamp: new Date().toISOString()
});
return res.status(401).json({ error: 'Invalid Bearer token' });
}
};
Implement structured logging for token revocation and rotation:
// Token revocation with audit logging
app.post('/api/tokens/revoke', authenticate, async (req, res) => {
const { tokenId } = req.body;
const { sub: userId } = req.user;
try {
await db.tokens.updateOne(
{ _id: tokenId, userId },
{ revoked: true, revokedAt: new Date(), revokedBy: userId }
);
console.audit({
event: 'token_revoked',
token_id: tokenId,
revoked_by: userId,
ip: req.ip,
user_agent: req.get('User-Agent'),
timestamp: new Date().toISOString()
});
res.json({ success: true });
} catch (error) {
console.error({
event: 'token_revocation_failed',
error: error.message,
token_id: tokenId,
user_id: userId,
ip: req.ip,
timestamp: new Date().toISOString()
});
res.status(500).json({ error: 'Revocation failed' });
}
});
Configure log retention policies and integrate with security information and event management (SIEM) systems to enable correlation of authentication events across your entire infrastructure.