Missing Authentication in Fiber with Basic Auth
Missing Authentication in Fiber with Basic Auth — how this specific combination creates or exposes the vulnerability
Missing Authentication in a Fiber endpoint that exposes Basic Auth creates a critical security risk where access controls are absent even though credentials are technically available. Basic Auth transmits a username and base64-encoded password in the Authorization header; encoding is not encryption, so credentials are easily decoded without additional protections. When an endpoint does not validate the presence or correctness of Basic Auth credentials, an unauthenticated attacker can call the route directly and bypass intended access restrictions.
Consider a health-check route or administrative endpoint in Fiber that should be restricted to internal services. If the route does not enforce credential checks, an attacker can send a simple GET request and receive sensitive data or trigger operations. middleBrick scans this unauthenticated attack surface and flags Missing Authentication as a finding, highlighting that the route responds without verifying credentials. This is distinct from scenarios where credentials are accepted but not validated; here, the server often responds with 200 OK even when no Authorization header is provided.
Basic Auth over HTTP is especially dangerous because credentials are easily decoded from the header. middleBoot tests such endpoints by sending requests without credentials and with malformed headers to determine whether access is granted. If no middleware enforces authentication, the scan identifies the route as exposed. Findings include the endpoint path, request example without credentials, and a prioritized remediation that emphasizes enforcing validation and using HTTPS to protect credentials in transit.
When scanning a Fiber API with OpenAPI specs, middleBrick cross-references spec definitions that declare securitySchemes of type http with scheme basic. If the route does not reference this security requirement or if the security requirement is missing from the operation, the runtime behavior is tested without credentials. The scanner maps the finding to frameworks such as OWASP API Top 10 (2023) A07:2021 — Identification and Authentication Failures, and provides remediation guidance tied to the specific routes and methods detected.
Basic Auth-Specific Remediation in Fiber — concrete code fixes
To remediate Missing Authentication in Fiber when using Basic Auth, enforce credential validation on every route that requires protection. Define a middleware function that checks the Authorization header, decodes the base64 payload, and compares credentials against a secure source. Only proceed to the handler if the credentials are valid; otherwise, respond with 401 Unauthorized.
Below is a concrete, working example of Basic Auth middleware in Fiber. The middleware extracts the header, decodes the credentials, and compares them to expected values. For production, use environment variables or a secure secret store rather than hard-coded values.
import { app, http } from 'https://deno.land/x/[email protected]/mod.ts';
import { Buffer } from 'https://deno.land/[email protected]/encoding/base64.ts';
const EXPECTED_USER = Deno.env.get('BASIC_USER') || 'admin';
const EXPECTED_PASS = Deno.env.get('BASIC_PASS') || 'secret';
const basicAuth = (c: any, next: any) => {
const authHeader = c.get('Authorization');
if (!authHeader || !authHeader.startsWith('Basic ')) {
c.status = 401;
return c.json({ error: 'Unauthorized', message: 'Missing Basic Auth header' });
}
const encoded = authHeader.split(' ')[1];
const decoded = new TextDecoder().decode(Buffer.fromString(encoded));
const [user, pass] = decoded.split(':');
if (user !== EXPECTED_USER || pass !== EXPECTED_PASS) {
c.status = 401;
return c.json({ error: 'Unauthorized', message: 'Invalid credentials' });
}
return next();
};
const f = app();
// Protected route using Basic Auth
f.get('/admin', basicAuth, (c) => {
return c.json({ status: 'ok', data: 'Admin access granted' });
});
// Public route (no auth required)
f.get('/health', (c) => {
return c.json({ status: 'ok' });
});
f.listen({ port: 3000 });
In this example, the basicAuth middleware ensures that requests to /admin include a valid Authorization header with correct credentials. If credentials are missing or incorrect, the endpoint returns 401 Unauthorized. For broader protection, apply the middleware globally or to route groups that require authentication, while keeping truly public endpoints—such as health checks—unprotected if appropriate.
When combined with HTTPS, this approach protects credentials in transit. middleBrick can verify that the remediation is effective by rescanning the endpoint with and without valid credentials and confirming that access is denied without proper authentication. The CLI can be used to automate verification: middlebrick scan <url> and review the updated security score and findings.
For teams using automation, the GitHub Action can enforce a minimum security score before merging, and the MCP Server allows scanning API definitions directly from development environments. These integrations complement the code-level fixes by ensuring that regressions are caught early and that runtime behavior aligns with declared specifications.
Related CWEs: authentication
| CWE ID | Name | Severity |
|---|---|---|
| CWE-287 | Improper Authentication | CRITICAL |
| CWE-306 | Missing Authentication for Critical Function | CRITICAL |
| CWE-307 | Brute Force | HIGH |
| CWE-308 | Single-Factor Authentication | MEDIUM |
| CWE-309 | Use of Password System for Primary Authentication | MEDIUM |
| CWE-347 | Improper Verification of Cryptographic Signature | HIGH |
| CWE-384 | Session Fixation | HIGH |
| CWE-521 | Weak Password Requirements | MEDIUM |
| CWE-613 | Insufficient Session Expiration | MEDIUM |
| CWE-640 | Weak Password Recovery | HIGH |