Memory Leak in Actix with Bearer Tokens

A memory leak in an Actix web service using Bearer token authentication typically arises when token handling, request parsing, or application state retains references longer than necessary. In a black-box scan, middleBrick tests unauthenticated endpoints and observes behaviors such as growing memory usage across repeated requests, slow response times, or increased resident set size. When Bearer tokens are extracted from headers and stored in structs, connection pools, or caches without proper cleanup, references can persist beyond the request lifecycle. This is especially relevant when token processing is coupled with per-request state, middleware logging, or deserialization into objects that remain in scope due to Actix’s actor model and address reservation patterns.

For example, if a handler deserializes a JSON payload containing a token into a struct that is cloned into an Actix actor message, and that actor is long-lived or pooled, the token and associated buffers may not be released until actor shutdown. middleBrick’s checks for BFLA/Privilege Escalation and Property Authorization can expose scenarios where token-scoped data is retained in server-side objects, enabling indirect memory growth that may be observable across authenticated-like sessions via header manipulation. Similarly, Input Validation checks can surface malformed tokens or large token payloads that trigger oversized allocations, and Data Exposure checks may detect tokens in logs or debug output that indicate improper handling. In OpenAPI/Swagger spec analysis, definitions that embed token metadata without clear lifecycle constraints can align with runtime findings where per-request allocations accumulate across $ref-resolved schemas, contributing to a higher risk score.

Rate Limiting and LLM/AI Security checks are less directly related but can highlight secondary effects: insufficient rate limiting may allow repeated token-submitting requests that amplify leak impact, while unsafe consumption patterns (e.g., unbounded deserialization) can exacerbate memory retention when tokens are embedded in complex nested structures. Because middleBrick scans in 5–15 seconds without credentials, it can quickly surface memory-related anomalies tied to Bearer token handling in Actix, guiding focused remediation rather than speculative debugging.

Remediation focuses on avoiding unnecessary retention of token data, using scoped lifetimes, and ensuring cleanup in Actix handlers and actors. Prefer extracting the token into a short-lived local variable, avoiding storage in structs that are cloned into long-lived messages. When token validation is required, validate and then drop the extracted string rather than passing it through multiple layers via message payloads.

Below are concrete Actix code examples that demonstrate safe handling. The first example shows a handler that extracts the Bearer token, validates it against a constant-time check, and ensures no copies are retained in responses or actor messages:

use actix_web::{web, HttpRequest, HttpResponse, Result};
use std::time::Duration;

fn validate_bearer(token: &str) -> bool {
    // Constant-time comparison pattern to avoid timing leaks
    let expected = "s3cr3t_t0k3n_2025";
    let mut result = 0;
    for (a, b) in token.bytes().zip(expected.bytes()) {
        result |= a ^ b;
    }
    token.len() == expected.len() && result == 0
}

async fn protected_handler(req: HttpRequest) -> Result {
    let auth_header = req.headers().get("Authorization");
    if let Some(auth) = auth_header {
        if let Ok(auth_str) = auth.to_str() {
            if auth_str.starts_with("Bearer ") {
                let token = &auth_str[7..];
                if validate_bearer(token) {
                    // Token used only locally; no storage in response or actor
                    return Ok(HttpResponse::Ok().body("Access granted"));
                }
            }
        }
    }
    Ok(HttpResponse::Unauthorized().body("Invalid or missing token"))
}

The second example shows how to avoid passing token data into Actix actor messages by using request-local data and dropping it after use. Instead of sending a token-containing struct as a message, perform validation first and then proceed with logic that does not require the token:

use actix::prelude::*;
use actix_web::HttpRequest;

struct TokenCheck {
    // Do not include token fields in messages that are pooled or long-lived
}

impl Message for TokenCheck {
    type Result = Result<(), &'static str>;
}

async fn start_token_check(req: HttpRequest) -> Result {
    // Validate and extract once
    let token = match req.headers().get("Authorization") {
        Some(h) => h.to_str().unwrap_or("").strip_prefix("Bearer ").unwrap_or(""),
        None => "",
    };
    if token.is_empty() || !validate_bearer(token) {
        return Ok(HttpResponse::Unauthorized().body("Invalid token"));
    }
    // Use only necessary non-sensitive data downstream
    let task = TokenCheck {};
    let _ = Arbiter::handle().send(task).await;
    Ok(HttpResponse::Ok().finish())
}

Additionally, review middleware and logging setups to ensure tokens are not inadvertently captured in logs, metrics, or debug strings. Configure Actix’s logger to redact authorization headers and avoid attaching token data to request extensions that persist across the application pool. These practices reduce the risk of memory retention and align with the remediation guidance provided by security scans, helping to maintain a lower risk profile without relying on automatic fixes.