Identification Failures in Adonisjs
How Identification Failures Manifests in Adonisjs
Identification failures in Adonisjs applications typically occur when the framework's authentication and authorization mechanisms fail to properly verify user identity or access rights. These vulnerabilities manifest in several specific ways within Adonisjs's architecture.
One common pattern involves improper session handling. Adonisjs uses its built-in session middleware by default, but developers often misconfigure session stores or fail to validate session tokens properly. For example, using the default cookie-based session without proper encryption can allow attackers to tamper with session data:
// Vulnerable: default session config without proper encryption
const Database = use('Database')
const User = use('App/Models/User')
class AuthController {
async login ({ request, auth, session }) {
const { email, password } = request.all()
const user = await User.query()
.where('email', email)
.first()
// Identification failure: no rate limiting, no account lockout
if (user && await Hash.verify(password, user.password)) {
session.put('user_id', user.id) // No session validation
return user
}
return { error: 'Invalid credentials' }
}
}Another Adonisjs-specific manifestation involves the framework's Lucid ORM models. When developers use model relationships without proper authorization checks, attackers can exploit IDOR (Insecure Direct Object Reference) vulnerabilities:
// Vulnerable: No authorization check on related models
class PostController {
async show ({ params, auth }) {
const post = await Post.find(params.id) // Any authenticated user can access any post
return post
}
}Adonisjs's middleware system can also introduce identification failures when authentication middleware is improperly configured or bypassed. The framework's route middleware allows for flexible authentication, but incorrect ordering or missing middleware can expose endpoints:
// Vulnerable: Missing authentication middleware
Route.get('/api/posts/:id', 'PostController.show')
// Should be: Route.get('/api/posts/:id', 'PostController.show').middleware('auth')Parameter pollution is another identification failure pattern specific to Adonisjs. The framework's request handling can be confused by duplicate parameters, allowing attackers to bypass authorization checks:
// Vulnerable to parameter pollution
async show ({ request, params }) {
const postId = request.input('id', params.id) // Attacker can override params.id
const post = await Post.find(postId)
return post
}Adonisjs-Specific Detection
Detecting identification failures in Adonisjs requires understanding the framework's specific patterns and security mechanisms. The first step is to examine authentication middleware configuration across all routes.
Manual detection should start with reviewing route files to ensure all sensitive endpoints have proper authentication middleware. In Adonisjs, this means checking for '.middleware('auth')' on routes that should be protected:
// Check route files for proper middleware usage
const Route = use('Route')
// Good: Properly protected route
Route.get('/api/posts', 'PostController.index')
.middleware('auth')
// Bad: Missing authentication
Route.get('/api/admin', 'AdminController.dashboard')
Session configuration should be examined for proper security settings. Adonisjs allows configuration of session drivers, encryption, and cookie settings:
// Check config/sessions.js for proper security
{
driver: 'cookie',
httpOnly: true, // Should be true
secure: true, // Should be true for HTTPS
sameSite: 'lax', // Should be 'lax' or 'strict'
encrypt: true // Should be true
}Model authorization patterns should be reviewed. Adonisjs doesn't enforce authorization by default, so developers must implement policies or middleware to check user permissions:
// Check for authorization patterns
class PostPolicy {
static async canView(user, post) {
return user.id === post.user_id // This is the minimum check
}
}
// Usage in controller
async show ({ params, auth }) {
const post = await Post.find(params.id)
if (!(await PostPolicy.canView(auth.user, post))) {
return response.status(403).send('Forbidden')
}
return post
}middleBrick's scanner can automatically detect these Adonisjs-specific identification failures. The scanner tests unauthenticated endpoints, attempts parameter pollution, and checks for missing authorization controls:
# Scan Adonisjs API with middleBrick
middlebrick scan https://api.yourservice.com
# The scanner will test:
# - Authentication bypass attempts
# - Parameter pollution
# - Session fixation
# - Authorization bypass
# - Rate limiting absence
middleBrick specifically checks for Adonisjs patterns like missing middleware, improper session handling, and authorization bypass attempts. The scanner provides a security score and detailed findings with remediation guidance.
Adonisjs-Specific Remediation
Remediating identification failures in Adonisjs requires leveraging the framework's built-in security features and following Adonisjs-specific best practices.
First, implement proper authentication middleware across all routes. Adonisjs provides a robust auth system that should be configured correctly:
// app/Controllers/Http/AuthController.js
class AuthController {
async login ({ request, auth, response }) {
const { email, password } = request.all()
// Use Adonisjs's built-in auth with proper validation
const token = await auth.attempt(email, password)
// Implement rate limiting to prevent brute force
const limiter = use('App/Services/RateLimiter')
await limiter.checkLoginAttempts(email)
return token
}
async logout ({ auth }) {
await auth.logout()
return { message: 'Logged out successfully' }
}
}Configure session security properly in Adonisjs's configuration files:
// config/sessions.js
module.exports = {
driver: 'cookie',
httpOnly: true,
secure: process.env.NODE_ENV === 'production',
sameSite: 'lax',
encrypt: true,
// Additional security
clearWith: ['user_id']
}Implement model policies for authorization. Adonisjs doesn't have built-in policies like Laravel, so you need to create your own:
// app/Policies/PostPolicy.js
class PostPolicy {
static async view(user, post) {
return user.id === post.user_id
}
static async update(user, post) {
return user.id === post.user_id || user.isAdmin
}
static async delete(user, post) {
return user.id === post.user_id || user.isAdmin
}
}
// app/Controllers/Http/PostController.js
class PostController {
async show ({ params, auth }) {
const post = await Post.find(params.id)
if (!await PostPolicy.view(auth.user, post)) {
return response.status(403).send('Forbidden')
}
return post
}
async update ({ params, request, auth }) {
const post = await Post.find(params.id)
if (!await PostPolicy.update(auth.user, post)) {
return response.status(403).send('Forbidden')
}
post.merge(request.only(['title', 'content']))
await post.save()
return post
}
}Add parameter validation to prevent pollution attacks:
// app/Middleware/ValidateParams.js
class ValidateParams {
async handle ({ request }, next) {
// Prevent parameter pollution by using only route params
const routeParams = request.route().params
const allowedParams = Object.keys(routeParams)
// Remove any query parameters that override route params
allowedParams.forEach(param => {
request.cleanParam(param)
})
await next()
}
}
// Register middleware in start/kernel.js
const globalMiddleware = [
'Adonis/Middleware/ValidateParams'
]middleBrick's remediation guidance specifically addresses Adonisjs patterns. When the scanner detects identification failures, it provides Adonisjs-specific fixes:
# Example middleBrick output for Adonisjs
{
"severity": "high",
"category": "Authentication",
"finding": "Missing authentication middleware on /api/posts/:id",
"remediation": "Add .middleware('auth') to route definition",
"adonisjs_specific": true,
"fix_example": "Route.get('/api/posts/:id', 'PostController.show').middleware('auth')"
}Using middleBrick's GitHub Action, you can automatically scan Adonisjs APIs in your CI/CD pipeline:
# .github/workflows/security.yml
name: Security Scan
on: [push, pull_request]
jobs:
security:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v2
- name: Run middleBrick Scan
uses: middlebrick/middlebrick-action@v1
with:
url: ${{ secrets.API_URL }}
fail-on-severity: high
token: ${{ secrets.MIDDLEBRICK_TOKEN }}