Missing Authentication in Feathersjs with Api Keys

FeathersJS is a framework for creating JavaScript APIs with services that typically rely on authentication hooks to protect endpoints. When authentication is omitted or misconfigured for a service that also uses API keys, the API key mechanism may not be invoked at all, allowing unauthenticated requests to reach business logic. This is a Missing Authentication issue in the context of the OWASP API Security Top 10, often categorized as broken object level authorization (BOLA) when access control is also weak.

In FeathersJS, an API key might be implemented as a custom header (e.g., x-api-key) validated by a hook. If the service does not explicitly require authentication or if the hook is not applied to the service, requests without any credentials can interact with the API key–protected resource. An attacker can therefore call the endpoint directly, bypassing intended access controls. For example, a service defined without an authentication hook might allow any caller to list sensitive records or invoke methods that should be restricted to authenticated clients.

Consider a FeathersJS service for retrieving user settings. If the service is configured without authentication hooks and only expects an API key in a header, a missing or misconfigured hook can cause the API key check to be skipped. The API key itself might be validated later in a lower-level middleware, but if the service route is exposed without requiring authentication, the unauthenticated attack surface remains. This exposes the endpoint to enumeration and data exfiltration, especially if rate limiting is also absent.

During a black-box scan, middleBrick tests the unauthenticated attack surface by sending requests without credentials to endpoints expected to be protected. In the context of API keys, this includes probing for the presence of key validation, checking whether the endpoint responds differently when the key is omitted, and testing whether sensitive operations are allowed without prior authentication. Findings are correlated with OpenAPI specifications when available, highlighting mismatches between declared security requirements and runtime behavior.

Real-world attack patterns such as insecure direct object references (IDOR) can compound the risk when authentication is missing. An attacker might iterate over identifiers and access other users’ data if authorization is not enforced. middleBrick runs checks for IDOR, input validation, and data exposure in parallel to surface these combinations. The scanner also evaluates whether the API key is transmitted securely and whether responses inadvertently leak sensitive information in error messages or metadata.

middleBrick’s LLM/AI Security checks are relevant when API endpoints interact with language models. If an unauthenticated endpoint exposes functionality that triggers LLM calls, attackers may probe for prompt injection or attempt unauthorized usage. The scanner runs active prompt injection probes and inspects outputs for sensitive data, ensuring that AI-related features do not introduce additional risk when authentication is missing.

To remediate Missing Authentication when using API keys in FeathersJS, explicitly require authentication for the service and ensure the API key hook is applied correctly. Below are concrete, syntactically correct examples that demonstrate secure configuration.

First, define an authentication hook that checks for an API key in a custom header. This hook should reject requests that do not provide a valid key.

// src/hooks/authentication.js
const API_KEYS = new Set([process.env.API_KEY_1, process.env.API_KEY_2]);

module.exports = function authentication(options = {}) {
  return async context => {
    if (context.params.provider === 'external') {
      const { 'x-api-key': apiKey } = context.headers;
      if (!apiKey || !API_KEYS.has(apiKey)) {
        throw new Error('Not authenticated');
      }
    }
    return context;
  };
};

Next, apply this authentication hook to your service so that every call requires a valid API key. This ensures that unauthenticated requests are blocked before reaching business logic.

// src/services/settings/settings.service.js
const { authenticate } = require('@feathersjs/authentication-common');
const authentication = require('../../hooks/authentication');

module.exports = function (app) {
  const options = {
    name: 'settings',
    paginate: { default: 10, max: 25 }
  };

  // Initialize service and other options
  app.use('/settings', createService(options));

  const service = app.service('settings');

  // Set up authentication for the service
  service.hooks({
    before: {
      all: [authentication()]
    }
  });
};

If you use multiple API keys and want to inspect which key was provided, you can attach the key to the context for downstream use. This pattern helps with auditing and conditional logic without weakening authentication requirements.

// src/hooks/attach-api-key.js
module.exports = function attachApiKey(options = {}) {
  return async context => {
    const { 'x-api-key': apiKey } = context.headers || {};
    if (apiKey) {
      context.apiKey = apiKey;
    }
    return context;
  };
};

Combine the authentication hook with the attach hook to keep the validation and attachment steps separate yet ordered. Ensure the authentication hook runs before any service method that deals with sensitive data or operations.

// src/services/users/users.service.js
const authentication = require('../../hooks/authentication');
const attachApiKey = require('../../hooks/attach-api-key');

module.exports = function (app) {
  const options = { name: 'users' };
  app.use('/users', createService(options));

  const service = app.service('users');

  service.hooks({
    before: {
      all: [attachApiKey(), authentication()]
    }
  });
};

For production, validate that no service routes are inadvertently left without the authentication hook. A common mistake is applying hooks to the generic service but not to dynamically created services or nested routes. Review your hook registration to confirm coverage across all endpoints. middleBrick’s CLI tool can scan your implementation and report on missing authentication patterns, while the GitHub Action can fail builds if risk thresholds are exceeded.

When using the middleBrick Web Dashboard, you can track how these changes affect your security scores over time. The Pro plan provides continuous monitoring and can alert your team if a regression introduces Missing Authentication, helping you maintain secure configurations as your API evolves.