Missing Authentication in Adonisjs with Jwt Tokens

Missing authentication in AdonisJS when JWT tokens are involved occurs when routes or controllers fail to enforce token validation before processing requests. AdonisJS relies on route-level or controller-level guards to confirm the presence and validity of a JWT; omitting these checks exposes endpoints to unauthenticated access.

In AdonisJS, JWT handling is typically implemented via the jwt provider in start/hooks.ts and route middleware such as auth. If a route intended for authenticated users does not include the auth middleware, or if the middleware is misconfigured to skip scope or guard validation, the endpoint becomes accessible without a valid token. This misconfiguration is common when developers generate routes quickly or copy patterns without adjusting access controls.

Consider an endpoint that returns user profile data. Without authentication enforcement, an attacker can send a GET request to /profile and receive sensitive information such as email or identifiers. Because JWTs are bearer tokens, the mere presence of a token is not sufficient; the token must be validated for scope, expiration, and audience. AdonisJS’s JWT provider can validate these claims, but only if the route explicitly requires it via middleware configuration.

Another scenario involves role-based access where a route should be limited to users with specific claims. If the developer applies the auth middleware but does not enforce role checks within the handler, or does not use the scope parameter correctly, privilege escalation can occur. For example, a token issued for read-only access might be reused to invoke write operations if the route does not validate token scope against the requested action.

Additionally, missing authentication can be introduced through incorrect middleware ordering or by omitting guard names. AdonisJS allows multiple guards (e.g., jwt, local). If a route specifies a guard but the JWT provider is not properly initialized or the token signing key is misconfigured, validation may silently fail, leading to unauthenticated access. This is particularly risky during development when environment variables for secret keys are not set consistently.

Real-world attack patterns include unauthenticated enumeration of user data and unauthorized modification of resources. These map to OWASP API Top 10 categories such as Broken Object Level Authorization (BOLA) when object identifiers are exposed without proper access checks. The absence of mandatory JWT validation in AdonisJS routes therefore creates a direct path for unauthenticated interaction with protected resources.

To remediate missing authentication with JWT tokens in AdonisJS, enforce token validation at the route or controller level using the auth middleware and correctly configured guards. Ensure that every protected route explicitly requires authentication and that the JWT provider is initialized with the correct secret and algorithms.

First, verify that the JWT provider is configured in start/hooks.ts. A proper setup includes specifying the token type, secret, and algorithms:

import { defineHook } from '@adonisjs/core';
import { JwtProvider } from '@ioc/Adonis/Addons/Jwt';

export default defineHook({
  async ready() {},
  async beforeHandle(http) {
    const provider = new JwtProvider({
      secret: http.config.get('jwt.secret'),
      tokenType: 'jwt',
      expiresIn: '7d',
      algorithm: 'HS256',
    });
    http.ctx.auth = provider;
  },
});

Next, apply the auth middleware to routes that require authentication, specifying the guard as jwt. This ensures that requests without a valid token are rejected before reaching the handler:

import Route from '@ioc:Adonis/Core/Route';

Route.get('/profile', 'ProfileController.show').middleware('auth:jwt');

In the controller, retrieve the authenticated user from the context. AdonisJS populates ctx.auth.user after successful token validation:

import { HttpContextContract } from '@ioc:Adonis/Core/HttpContext';

export default class ProfileController {
  public async show({ auth }: HttpContextContract) {
    const user = auth.user;
    return { email: user.email, id: user.id };
  }
}

For scope-based protection, use the scope parameter to restrict access based on token claims. This is useful when tokens carry roles or permissions that must align with the requested operation:

Route.post('/admin/users', 'AdminController.create')
  .middleware('auth:jwt', { scope: ['admin:write'] });

Additionally, validate token expiration and audience explicitly if your use case requires strict checks. The JWT provider can decode tokens without verification for inspection, but you should always rely on middleware for enforcement:

import { jwtVerify } from 'jose';

export async function validateToken(token: string) {
  const { payload } = await jwtVerify(token, new TextEncoder().encode(process.env.JWT_SECRET!));
  if (payload.exp && payload.exp * 1000 < Date.now()) {
    throw new Error('Token expired');
  }
  return payload;
}

Finally, ensure that environment variables for JWT_SECRET are set consistently across development and production. Rotate secrets periodically and avoid hardcoding keys in source code. Using the CLI, you can test protected routes with and without tokens to confirm that authentication enforcement is effective.