Api Rate Abuse in Adonisjs with Postgresql
Api Rate Abuse in Adonisjs with Postgresql — how this combination creates or exposes the vulnerability
AdonisJS, a Node.js web framework, typically relies on application-level rate-limiting middleware to control request volume per client. When paired with PostgreSQL as the backend database, misconfigured or absent rate limits can allow a single client to open many concurrent database connections or execute many heavy queries in a short window. This can saturate connection pools, overload query execution on shared tables, and indirectly expose sensitive patterns through timing differences or error messages.
In a black-box scan, middleBrick tests unauthenticated endpoints to detect missing or weak rate limiting across routes that interact with PostgreSQL-backed resources. For example, an endpoint like /api/users/:id/profile that performs a direct SELECT on a large user table without per-IP or per-token throttling can be hammered to enumerate valid IDs (potential BOLA/IDOR) or trigger expensive joins that degrade performance. The database workload becomes a side channel: high request rates lead to long-running queries, connection spikes, or lock contention that an attacker can observe indirectly.
AdonisJS applications often use Lucid ORM with PostgreSQL. Without explicit rate limiting, each request that issues INSERT, UPDATE, or DELETE statements contributes to write amplification. Combined with connection pooling settings that allow many idle or active clients, an attacker can exhaust resources, causing timeouts for legitimate users. This is especially risky for authentication and token-verification endpoints, where attackers may attempt credential stuffing or token brute-force at scale.
middleBrick’s 12 checks include Rate Limiting and Input Validation, which together highlight cases where an API endpoint backed by PostgreSQL in AdonisJS lacks request caps or fails to validate and throttle payloads. Findings include missing identifiers for rate keys, overly permissive window sizes, and absence of progressive backoff, all of which increase exposure to abuse. Remediation focuses on enforcing per-identifier limits, monitoring query complexity, and ensuring database-side safeguards complement framework-level controls.
Postgresql-Specific Remediation in Adonisjs — concrete code fixes
To secure AdonisJS routes that rely on PostgreSQL, implement rate limiting at the route or middleware layer and add database-side constraints to limit the cost and frequency of queries. Below are concrete, realistic examples you can apply.
1. Route-level rate limiting with @adonisjs/throttle
Use the official throttle provider to cap requests per identifier (e.g., IP or user ID). This prevents a single client from overwhelming PostgreSQL with rapid calls.
// start/kernel.ts
import { HttpContextContract } from '@ioc:Adonis/Core/HttpContext'
import { throttle } from '@adonisjs/throttle'
export const middleware = () => [
throttle({ identifier: (ctx: HttpContextContract) => ctx.request.ip(), max: 60, window: '1m' })
]
// routes.ts
Route.get('/api/users/:id/profile', 'UserController.show')
.middleware(['throttle'])
2. Database-side statement cost control
In PostgreSQL, use statement timeouts and work_mem cautiously to cap resource usage per query. Execute these settings at the session level for routes that perform heavy reads or writes on shared tables.
// database/middleware/statement_cost.ts
import { BaseMiddleware } from '@ioc:Adonis/Core/HttpMiddleware'
import { Profiler } from '@ioc:Adonis/Core/Profiler'
import Database from '@ioc:Database'
export default class StatementCostMiddleware extends BaseMiddleware {
public async handle({ request, response, session }, next: () => Promise) {
// Set per-request limits for queries touching large tables
await Database.rawQuery('SET LOCAL statement_timeout = ${1500}; SET LOCAL work_mem = ${16384};')
await next()
}
}
Then register this middleware on sensitive routes:
// routes.ts
Route.get('/api/reports/large', 'ReportController.index')
.middleware(['statementCost'])
3. Row-level security and query constraints
Define policies in the database to ensure that even if request volume is high, each query touches only allowed rows. Combine with AdonisJS policies for authorization, but enforce limits directly in SQL to avoid bypass via high concurrency.
-- Enable row security on the profiles table
ALTER TABLE profiles ENABLE ROW LEVEL SECURITY;
-- Policy: users can only see their own profile unless they are admins
CREATE POLICY profiles_own_or_admin ON profiles
FOR SELECT
USING (
auth.role() = 'admin' OR user_id = auth.uid()
);
-- Ensure the policy is active
ALTER TABLE profiles FORCE ROW LEVEL SECURITY;
In AdonisJS, keep the route lean and let the database enforce boundaries:
// app/Controllers/Http/UserController.ts
import Database from '@ioc:Database'
export class UserController {
public async show({ params, auth }: HttpContextContract) {
const row = await Database
.from('profiles')
.where('user_id', auth.user?.id)
.preload('settings')
.firstOrFail()
return row
}
}
4. Connection pool and transaction hygiene
Configure your PostgreSQL pool in AdonisJS to prevent resource exhaustion under high request rates. Avoid long-running transactions that hold connections and increase lock contention.
// database.ts
import { DbConfig } from '@ioc:Adonis/Addons/Lucid'
const config: DbConfig = {
connection: 'pg',
connections: {
pg: {
client: 'postgres',
connection: {
host: 'localhost',
port: 5432,
database: 'maindb',
user: 'app_user',
password: process.env.DB_PASSWORD,
},
pool: {
min: 0,
max: 20,
idleTimeoutMillis: 30000,
acquireTimeoutMillis: 5000,
},
},
},
}
export default config
Use explicit transactions and ensure they complete quickly:
// app/Services/ProfileService.ts
import Database from '@ioc:Database'
export default class ProfileService {
public static async updateBio(userId: number, bio: string) {
await Database.transaction(async (trx) => {
await trx
.from('profiles')
.where('user_id', userId)
.update({ bio })
})
}
}