HIGH broken authenticationaxum
Broken Authentication in Axum
Axum-Specific Remediation
Fixing broken authentication in Axum involves leveraging its extractor system and middleware correctly. First, avoid optional extractors (Option) for authentication—use mandatory ones and let Axum return 401 automatically on failure. For JWT validation, create a custom extractor that validates tokens rigorously. Example:
use axum::extract::FromRequest;
use axum::http::Request;
use jsonwebtoken::{decode, DecodingKey, Validation};
#[derive(Debug)]
struct AuthUser(pub String); // user ID or claims
#[async_trait]
impl FromRequest for AuthUser
where
S: Send + Sync,
{
type Rejection = (axum::http::StatusCode, &'static str);
async fn from_request(req: Request, state: &S) -> Result {
let token = req
.headers()
.get(axum::http::header::AUTHORIZATION)
.and_then(|h| h.to_str().ok())
.and_then(|h| h.strip_prefix("Bearer "))
.ok_or_else(|| (axum::http::StatusCode::UNAUTHORIZED, "Missing token"))?;
let claims = decode::(token, &DecodingKey::from_secret("secret".as_ref()), &Validation::default())
.map_err(|_| (axum::http::StatusCode::UNAUTHORIZED, "Invalid token"))?;
Ok(AuthUser(claims.claims.sub))
}
}
// Usage in route:
async fn protected_handler(user: AuthUser) -> &'static str {
"Welcome, " + &user.0
}
let app = Router::new()
.route("/protected", get(protected_handler));
This ensures token presence, format, signature, and claims are validated before the handler runs. Additionally, apply authentication middleware globally via Router::layer to enforce consistency. middleBrick’s Pro plan offers continuous monitoring to detect regressions—e.g., if a developer later removes the extractor or weakens validation, scheduled scans alert the team before deployment.
FAQ
- Q: How does middleBrick differentiate between missing authentication and broken authentication in Axum?
A: Missing authentication occurs when an endpoint lacks any auth check (returns 200 without credentials). Broken authentication exists when auth is present but flawed—e.g., token validation is missing or bypassable. middleBrick identifies the latter by testing token tampering, replay, and weak validation against endpoints that return 200 for unauthenticated requests with malformed tokens. - Q: Can Axum’s
TypedHeaderprevent broken authentication?
A: No—TypedHeader<headers::Authorization>only extracts the header value; it does not validate the token. Developers must add validation logic in the handler or a custom extractor, as shown in the remediation section.
Related CWEs: authentication
| CWE ID | Name | Severity |
|---|---|---|
| CWE-287 | Improper Authentication | CRITICAL |
| CWE-306 | Missing Authentication for Critical Function | CRITICAL |
| CWE-307 | Brute Force | HIGH |
| CWE-308 | Single-Factor Authentication | MEDIUM |
| CWE-309 | Use of Password System for Primary Authentication | MEDIUM |
| CWE-347 | Improper Verification of Cryptographic Signature | HIGH |
| CWE-384 | Session Fixation | HIGH |
| CWE-521 | Weak Password Requirements | MEDIUM |
| CWE-613 | Insufficient Session Expiration | MEDIUM |
| CWE-640 | Weak Password Recovery | HIGH |
Frequently Asked Questions
How does middleBrick differentiate between missing authentication and broken authentication in Axum?
Missing authentication occurs when an endpoint lacks any auth check (returns 200 without credentials). Broken authentication exists when auth is present but flawed—e.g., token validation is missing or bypassable. middleBrick identifies the latter by testing token tampering, replay, and weak validation against endpoints that return 200 for unauthenticated requests with malformed tokens.
Can Axum’s TypedHeader prevent broken authentication?
No—TypedHeader<headers::Authorization> only extracts the header value; it does not validate the token. Developers must add validation logic in the handler or a custom extractor, as shown in the remediation section.