Logging Monitoring Failures in Actix with Basic Auth
Logging Monitoring Failures in Actix with Basic Auth — how this specific combination creates or exposes the vulnerability
When an Actix web service uses HTTP Basic Authentication without structured logging and active monitoring, security-relevant events are inconsistently recorded or omitted, which weakens visibility into authentication failures. Basic Auth sends credentials in an Authorization header with base64-encoded credentials (not encrypted); relying on transport-layer security is necessary but insufficient for auditability.
In Actix, if authentication middleware or handlers do not explicitly log failed authentication attempts, usernames, source IPs, timestamps, and failure reasons, operators lose the ability to detect brute-force patterns or credential spraying. Without logs, monitoring rules that trigger on anomalies cannot fire, allowing attackers to probe accounts without triggering alerts. For example, repeated 401 responses may go unrecorded if the application only emits generic access logs without status-code or security context enrichment.
Additionally, inconsistent log formatting and missing correlation identifiers make it hard to trace a single authentication session across services. If logs exclude outcome (success/failure), user identity, or endpoint path, security teams cannot reliably investigate incidents or map events to the MITRE ATT&CK technique T1110 (Brute Force). This combination—Basic Auth over HTTPS with inadequate logging—creates a scenario where unauthorized access attempts are not reliably captured, undermining detection and response.
To reduce this class of risk, instrument Actix handlers to emit structured logs for both successful and failed Basic Auth attempts, including username (or a non-sensitive identifier), client IP, HTTP method, path, status, and a unique request ID. Feed these logs into a monitoring system that tracks failure rates and raises alerts on thresholds indicative of automated attacks. The scanner category Authentication in middleBrick checks whether authentication mechanisms produce sufficient audit data and flags missing logging as an actionable finding.
Basic Auth-Specific Remediation in Actix — concrete code fixes
Remediation focuses on ensuring every authentication decision is recorded and on tightening how credentials are handled. Use middleware to intercept requests, validate credentials, and produce structured logs for both outcomes. Below is a minimal, secure pattern for Basic Auth in Actix with explicit logging and constant-time comparison to mitigate timing-based leakage.
use actix_web::{web, App, HttpResponse, HttpServer, middleware, dev::ServiceRequest, dev::ServiceResponse, Error};
use actix_web::http::header::HeaderValue;
use actix_web::http::StatusCode;
use base64::engine::general_purpose;
use base64::Engine;
use log::{info, warn};
use std::collections::HashMap;
use std::time::{SystemTime, UNIX_EPOCH};
// A constant-time comparison to avoid timing leaks
fn safe_equals(a: &str, b: &str) -> bool {
use subtle::ConstantTimeEq;
let a_bytes = a.as_bytes();
let b_bytes = b.as_bytes();
if a_bytes.len() != b_bytes.len() {
return false;
}
a_bytes.ct_eq(b_bytes).into()
}
async fn validate_credentials(req: ServiceRequest) -> Result {
let headers = req.headers();
if let Some(auth_header) = headers.get("authorization") {
if let Ok(auth_str) = auth_header.to_str() {
if auth_str.starts_with("Basic ") {
let encoded = auth_str.trim_start_matches("Basic ").trim();
if let Ok(decoded) = general_purpose::STANDARD.decode(encoded) {
if let Ok(credentials) = String::from_utf8(decoded) {
let parts: Vec<&str> = credentials.splitn(2, ':').collect();
if parts.len() == 2 {
let (username, password) = (parts[0], parts[1]);
// Replace with secure lookup, e.g., constant-time DB or vault check
let valid = check_user_credentials(username, password).await;
let client_ip = req.connection_info().realip_remote_addr().unwrap_or("unknown");
let timestamp = SystemTime::now().duration_since(UNIX_EPOCH).map(|d| d.as_secs()).unwrap_or(0);
if valid {
info!(
r#"{{"timestamp": {}, "event": "auth_success", "username": "{}", "ip": "{}", "method": "{}", "path": "{}", "status": 200, "request_id": "{}"}}"#,
timestamp, username, client_ip, req.method(), req.path(), req.headers().get("x-request-id").and_then(|v| v.to_str().ok()).unwrap_or("-")
);
return Ok(req);
} else {
warn!(
r#"{{"timestamp": {}, "event": "auth_failure", "username": "{}", "ip": "{}", "method": "{}", "path": "{}", "status": 401, "request_id": "{}"}}"#,
timestamp, username, client_ip, req.method(), req.path(), req.headers().get("x-request-id").and_then(|v| v.to_str().ok()).unwrap_or("-")
);
return Err((actix_web::error::ErrorUnauthorized("Invalid credentials"), req));
}
}
}
}
}
}
}
// No valid Basic Auth header
let client_ip = req.connection_info().realip_remote_addr().unwrap_or("unknown");
let timestamp = SystemTime::now().duration_since(UNIX_EPOCH).map(|d| d.as_secs()).unwrap_or(0);
warn!(
r#"{{"timestamp": {}, "event": "auth_missing", "ip": "{}", "method": "{}", "path": "{}", "status": 401, "request_id": "{}"}}"#,
timestamp, client_ip, req.method(), req.path(), req.headers().get("x-request-id").and_then(|v| v.to_str().ok()).unwrap_or("-")
);
Err((actix_web::error::ErrorUnauthorized("Missing credentials"), req))
}
async fn check_user_credentials(username: &str, password: &str) -> bool {
// Example static check; replace with secure storage and constant-time verification
// Avoid logging the password; log only outcome and username
username == "admin" && password == "correct_hashed_password_equivalent"
}
#[actix_web::main]
async fn main() -> std::io::Result<()> {
env_logger::init();
HttpServer::new(|| {
App::new()
.wrap(middleware::Logger::default())
.wrap_fn(|req, srv| {
let fut = validate_credentials(req);
async move {
match fut.await {
Ok(req) => srv.call(req).await,
Err((err, req)) => {
// Ensure response includes consistent structure and logs are emitted
let (req, _pl) = req.into_parts();
let res = HttpResponse::build(StatusCode::UNAUTHORIZED)
.insert_header(("WWW-Authenticate", "Basic realm=\"secure\""))
.body("Unauthorized");
Ok(ServiceResponse::new(req, res).map_into_left_body())
}
}
}
})
.route("/api/secure", web::get().to(|| async { HttpResponse::Ok().body("Authenticated data") }))
})
.bind("127.0.0.1:8080")?
.run()
.await
}
Key practices embedded in this remediation:
- Log both successes and failures with sufficient context (username, IP, method, path, status, request ID) but never log passwords or full credentials.
- Use constant-time comparison for credentials to reduce timing side-channels; avoid early string equality that can short-circuit.
- Return 401 with WWW-Authenticate header to standardize Basic Auth challenges.
- Structure logs as JSON to enable reliable parsing by monitoring systems; include timestamps and request IDs for correlation.
- Ensure the scanner category Authentication and Logging Monitoring Failures are covered by verifying that logs capture failed attempts; middleBrick findings will point to missing logging when attempts are not recorded.
Note: middleBrick does not fix these issues; it identifies them with remediation guidance so teams can implement structured logging, monitoring rules, and secure credential handling in Actix.