Logging Monitoring Failures in Adonisjs with Jwt Tokens

When an AdonisJS application uses JWT tokens for authentication but does not log and monitor key security events, it creates blind spots that can be exploited. JWTs are typically stateless; once issued, the server does not maintain session state. This means token issuance, validation failures, and revocation events must be explicitly recorded and observed to detect abuse.

Without structured logging around JWT operations, you lose visibility into patterns such as repeated invalid tokens, token reuse across IPs, or missing or malformed claims. For example, an attacker who obtains a leaked token may try slight modifications to bypass naive checks; without logging each validation attempt and its outcome, these probing behaviors remain invisible. Monitoring further fails when token expiration handling, signature verification errors, or unexpected claims are not surfaced as anomalies.

In AdonisJS, the framework relies on packages like @adonisjs/auth and jwt providers. If your application does not instrument the authentication pipeline to emit logs for events such as token.verified, token.invalid, and auth.unauthenticated, you cannot correlate failed logins with token misuse. This lack of telemetry also hampers detection of token replay attacks across services, where the same JWT is used simultaneously from different locations. Because JWTs often carry identity and permissions, missing logs around their lifecycle can allow privilege escalation or unauthorized access to persist undetected.

Additionally, failing to monitor the points where tokens are generated (e.g., during login or token refresh) means you cannot identify issuance anomalies such as unusually long-lived tokens or tokens issued for elevated scopes without justification. In AdonisJS, this requires explicit logging in your controller or provider code around the token creation step, including the payload contents and the context of the request. Without this, an attacker who compromises a credential could obtain a high-privilege token and move laterally while the system remains unaware.

Operational monitoring must also capture environmental and runtime signals such as token parse errors, signature verification failures, and clock-skew-related rejections. These are common in distributed systems where time synchronization is imperfect, but they can also indicate active tampering. If AdonisJS routes or middleware that validate JWTs do not log these failures with sufficient context (e.g., token header, claims, IP, user agent), security teams lose the ability to differentiate between benign misconfiguration and targeted attacks like token substitution or signature bypass.

Remediation centers on instrumenting the authentication flow to emit structured logs for all JWT lifecycle events and adding runtime guards to detect suspicious patterns. Below are concrete steps and code examples tailored for AdonisJS.

First, ensure your authentication provider logs key events. If you are using the jwt provider, wrap token verification and generation with a logger. For example:

import { HttpContextContract } from '@ioc:Adonis/Core/HttpContext'
import { DateTime } from 'luxon'

export default class AuthController {
  public async login({ request, auth, logger, response }: HttpContextContract) {
    const { email, password } = request.only(['email', 'password'])
    const token = await auth.attempt(email, password)

    logger.info('token.issued', {
      subject: 'auth.login',
      email,
      jwtType: 'access',
      issuedAt: DateTime.local().toISO(),
      expiresIn: '15m',
      ip: request.ip()
    })

    return response.send({ token })
  }

  public async handleAuthFailure({ request, logger, response }: HttpContextContract) {
    logger.warn('auth.unauthenticated', {
      subject: 'auth.failure',
      path: request.url(),
      ip: request.ip(),
      userAgent: request.headers().get('user-agent'),
      timestamp: new Date().toISOString()
    })
    return response.unauthorized(null, 'Invalid credentials')
  }
}

Second, add logging around token validation in your JWT middleware or custom hooks. This captures verification results and claim checks:

import { Exception } from '@poppinss/utils'
import { HttpContextContract } from '@ioc:Adonis/Core/HttpContext'

export const verifyJwt = async (ctx: HttpContextContract) => {
  const token = ctx.request.headers()['authorization']?.replace('Bearer ', '')
  if (!token) {
    ctx.logger.warn('jwt.missing', {
      subject: 'jwt.validation',
      path: ctx.request.url(),
      ip: ctx.request.ip()
    })
    throw new Exception('Unauthorized', 401, 'E_JWT_MISSING')
  }

  try {
    const payload = await ctx.auth.use('jwt').verify(token)
    ctx.logger.info('jwt.verified', {
      subject: 'jwt.validation',
      payload,
      ip: ctx.request.ip(),
      userAgent: ctx.request.headers().get('user-agent')
    })
    ctx.auth.user = payload
  } catch (error) {
    ctx.logger.error('jwt.invalid', {
      subject: 'jwt.validation',
      error: error.message,
      tokenPreview: token.slice(0, 30),
      ip: ctx.request.ip()
    })
    throw error
  }
}

Third, monitor token refresh and revocation patterns. Log token refresh attempts and include metadata useful for anomaly detection:

export const refreshToken = async ({ request, auth, logger, response }: HttpContextContract) => {
  const { refresh_token } = request.body()
  const newPair = await auth.use('jwt').attemptRefreshToken(refresh_token)

  logger.info('token.refreshed', {
    subject: 'token.refresh',
    previousExpiry: refreshTokenPayload.exp,
    newAccessTokenExpiry: newPair.accessToken.expiresIn,
    ip: request.ip()
  })

  return response.send(newPair)
}

Finally, integrate these logs with your monitoring system to trigger alerts on patterns such as repeated invalid tokens from the same IP or tokens issued with unexpected scopes. This approach aligns with observability best practices and helps detect abuse early while maintaining the stateless nature of JWTs in AdonisJS.