Distributed Denial Of Service in Feathersjs with Basic Auth
Distributed Denial Of Service in Feathersjs with Basic Auth — how this specific combination creates or exposes the vulnerability
FeathersJS is a framework for building REST and real-time APIs with minimal configuration. When Basic Auth is used for authentication, the server relies on an Authorization: Basic base64(credentials) header on every request. Because Basic Auth transmits credentials on every call, and because FeathersJS applications often expose services publicly, this combination can make denial-of-service (DDoS) vectors easier to trigger if authentication is not rate-limited or otherwise protected.
DDoS in this context does not require compromising credentials; it exploits the availability of unauthenticated or weakly protected endpoints. An attacker can saturate the service by opening many connections or sending many requests with invalid or missing Basic Auth headers. FeathersJS services that do not enforce per-route authentication or global rate limiting allow these requests to consume server resources (event loop, memory, database connections). If authentication is performed synchronously on each request, CPU time is spent on Base64 decoding and credential validation even for malicious traffic, which can amplify resource exhaustion.
Another risk specific to the combination of Basic Auth and FeathersJS is that misconfigured CORS or preflight handling can allow browsers to send credentialed requests from untrusted origins, increasing exposure to cross-origin request floods. If the service also accepts OpenAPI specs with $ref resolution, an attacker might probe documented endpoints that are not properly guarded, especially if runtime enforcement lags behind spec definitions. Because FeathersJS can auto-register services, an endpoint that appears benign in documentation might be reachable without additional checks, making it a target for volumetric attacks.
middleBrick scans such configurations and flags missing rate limiting, authentication bypass risks, and excessive agency patterns. In the context of Basic Auth, findings may highlight endpoints that accept requests without verifying credentials or lack per-client throttling. These findings align with the OWASP API Top 10 category '2023-A02: Broken Authentication' and can contribute to a 'C' or lower security score when availability protections are weak.
Unlike long-running pentests that take weeks, middleBrick completes an unauthenticated scan in 5–15 seconds, testing the public attack surface without credentials. Its checks run in parallel across 12 categories, including Authentication, Rate Limiting, and Input Validation, to identify whether Basic Auth headers are accepted without enforcement and whether the service can be overwhelmed by repeated requests.
Basic Auth-Specific Remediation in Feathersjs — concrete code fixes
Remediation focuses on ensuring every request that requires authentication is verified, and that abusive clients cannot saturate your service. Below are concrete FeathersJS examples that combine Basic Auth validation with rate limiting and error handling to reduce DDoS surface.
Example 1: Basic Auth middleware with strict verification
Use a custom hook to validate credentials before the service logic runs. This prevents unauthenticated requests from consuming downstream resources.
const { BasicAuthStrategy } = require('feathers-authentication');
const auth = new BasicAuthStrategy();
function verifyCredentials(username, password) {
// Replace with secure user lookup, e.g., database query with constant-time compare
const validUser = username === 'apiuser' && password === 's3cr3tP@ss!';
if (!validUser) {
const err = new Error('Invalid credentials');
err.code = 401;
throw err;
}
return { userId: username };
}
app.hooks({
before: {
all: [auth.hooks.authenticate(['basic'])],
find: [context => {
const { user } = context;
if (!user || !user.userId) {
return Promise.reject({
code: 401,
message: 'Authentication required'
});
}
return context;
}]
}
});
Example 2: Rate limiting per client IP
Rate limiting reduces the impact of high-volume requests. The example uses
const rateLimit = require('feathers-rate-limit');
app.configure(rateLimit({
windowMs: 60 * 1000, // 1 minute
max: 100, // limit each IP to 100 requests per windowMs
skipSuccessfulRequests: false,
handler: (req, res, next, options) => {
res.status(options.statusCode).json({
code: 429,
message: 'Too many requests, try again later.'
});
}
}));
Example 3: Combined hook to reject malformed headers early
Add an early hook to reject requests with malformed or missing Basic Auth headers before they reach service logic, saving CPU cycles during an attack.
app.hooks({
before: {
all: [context => {
const authHeader = context.params.headers.authorization || '';
if (!authHeader.startsWith('Basic ')) {
return Promise.reject({
code: 400,
message: 'Missing or invalid Authorization header'
});
}
return context;
}]
}
});
Example 4: Secure configuration in an existing Feathers service
Ensure services do not allow unauthenticated access by default. If using REST transport only, disable socket transports that might bypass hooks.
class AuthService {
setup(app, params) {
this.app = app;
this.params = params;
}
find(params) {
// Ensure params has user from authentication hook
if (!params.user) {
return Promise.reject({
code: 401,
message: 'Unauthorized'
});
}
return Promise.resolve({
total: 0,
limit: 0,
skip: 0,
data: []
});
}
}
const app = require('feathers')();
app.configure(express.json());
app.configure(express.urlencoded({ extended: true }));
app.use('/secure', new AuthService());
These examples emphasize early rejection of bad requests and consistent credential verification. They map to OWASP API Top 10 protections and help keep availability risks low. In a middleBrick Pro plan, you can enable continuous monitoring and CI/CD gates so that any regression in authentication or rate limiting fails the build before deployment.