HIGH missing authenticationadonisjsbasic auth

Missing Authentication in Adonisjs with Basic Auth

Scan for missing authentication in adonisjs

Missing Authentication in Adonisjs with Basic Auth — how this specific combination creates or exposes the vulnerability

Ads in AdonisJS often rely on packages such as @adonisjs/basic-auth to enforce HTTP Basic Authentication. When the required middleware is omitted or misconfigured, the endpoint becomes unauthenticated from an API security perspective. middleBrick flags this as Missing Authentication because the route accepts requests without presenting valid credentials, exposing functionality that should be protected.

Consider a typical route definition that intends to use Basic Auth but accidentally skips the middleware registration in start/routes.ts:

import Route from '@ioc:Adonis/Core/Route'

// Intended to be protected, but middleware is not referenced
Route.get('/internal/metrics', 'MetricsController.show')

If the application expects Basic Auth via a package like @adonisjs/basic-auth but the route does not include the corresponding middleware (e.g., auth:basic), an attacker can call the endpoint without credentials and obtain sensitive operational data. This aligns with the BOLA/IDOR and Authentication checks in middleBrick’s 12 parallel security checks, because the vulnerability is about missing access control rather than a flaw in the Basic Auth implementation itself.

During a scan, middleBrick tests unauthenticated access and checks whether responses differ when credentials are provided. A missing authentication flaw is indicated when unauthenticated requests succeed with the same data as authenticated ones, or when the server does not challenge with a 401 when credentials are omitted. Because Basic Auth sends credentials in base64-encoded form without encryption unless used over TLS, missing authentication compounds the risk by exposing secrets in transit if encryption is also absent.

In a real-world scenario, an unauthenticated endpoint might return user lists, configuration, or tokens. middleBrick’s detection includes analyzing whether the response contains sensitive data, which could map to compliance frameworks such as OWASP API Top 10 (A01: Broken Access Control) and SOC 2 controls. The scanner does not fix the route but provides findings with remediation guidance, emphasizing that developers must explicitly apply the appropriate auth middleware to each route that requires protection.

Basic Auth-Specific Remediation in Adonisjs — concrete code fixes

To remediate missing authentication with Basic Auth in AdonisJS, explicitly register the Basic Auth middleware on routes that must be protected. Ensure that the auth provider is properly configured and that TLS is enforced in production to prevent credentials from being transmitted in clear text.

1) Define a route with the Basic Auth middleware in start/routes.ts:

import Route from '@ioc:Adonis/Core/Route'

Route.get('/internal/metrics', 'MetricsController.show')
  .middleware(['auth:basic'])

2) Configure the Basic Auth provider in config/auth.ts to validate users against a database or a static list. For example, using the database provider:

import { BasicAuthUserProviderConfig } from '@ioc:Adonis/Addons/BasicAuth'

const basicAuthProvider: BasicAuthUserProviderConfig = {
  driver: 'database',
  table: 'basic_auth_users',
  usernameField: 'username',
  passwordField: 'password_hash',
}

export default {
  providers: {
    basicAuth: basicAuthProvider,
  },
}

3) Use a controller that expects the authenticated user and returns protected data only when credentials are valid:

import { HttpContextContract } from '@ioc:Adonis/Core/HttpContext'

export default class MetricsController {
  public async show({ auth }: HttpContextContract) {
    const user = auth.getUserOrFail()
    // Fetch and return protected metrics for the authenticated user
    return { user: user.username, metrics: { requests: 1234 } }
  }
}

4) Enforce TLS in production by configuring your server (e.g., reverse proxy or Node.js HTTPS) to terminate TLS and by setting FORCE_HTTPS=true in environment variables. Basic Auth credentials are base64-encoded, not encrypted; without TLS, missing authentication effectively becomes credential exposure.

middleBrick’s scan will verify that the endpoint returns a 401 challenge when credentials are absent and that protected data is not returned without valid Basic Auth headers. By combining correct middleware registration, secure credential storage, and TLS, you address the missing authentication finding and reduce the risk of unauthorized access mapped to frameworks like OWASP API Top 10 and GDPR data protection requirements.

Related CWEs: authentication

CWE IDNameSeverity
CWE-287Improper Authentication CRITICAL
CWE-306Missing Authentication for Critical Function CRITICAL
CWE-307Brute Force HIGH
CWE-308Single-Factor Authentication MEDIUM
CWE-309Use of Password System for Primary Authentication MEDIUM
CWE-347Improper Verification of Cryptographic Signature HIGH
CWE-384Session Fixation HIGH
CWE-521Weak Password Requirements MEDIUM
CWE-613Insufficient Session Expiration MEDIUM
CWE-640Weak Password Recovery HIGH
Scan for missing authentication in adonisjs Free API security scan

Frequently Asked Questions

Does middleBrick attempt to log in or modify data during a scan?
No. middleBrick tests unauthenticated attack surface only and does not attempt to log in, modify, or delete data. It checks whether authentication is required and whether credentials are necessary to access endpoints.
Can I test internal or staging APIs with the free tier?
Yes, the free tier allows 3 scans per month. You can scan any publicly reachable API endpoint, including staging environments, without installing agents or providing credentials.

Related Pages

Missing Authentication in AdonisjsMissing authentication in Adonisjs exposes APIs to unauthorized access. Learn Adonisjs-specific patterns, detection methMissing Authentication with Basic AuthLearn how missing authentication manifests in Basic Auth systems, how to detect it with automated tools, and implement pMissing Authentication in Adonisjs on CloudflareUnderstand how missing authentication in AdonisJS behind Cloudflare creates exposure and apply concrete route guards andMissing Authentication in Adonisjs on HerokumiddleBrick scans AdonisJS APIs on Heroku for missing authentication, providing severity-ranked findings and remediationMissing Authentication in Adonisjs on AzuremiddleBrick scans API endpoints for missing authentication, including AdonisJS services integrating with Azure. Get secuMissing Authentication in Adonisjs on DockerSecure AdonisJS in Docker: detect missing authentication, apply middleware policies, and validate container exposure witIso 27001: Missing Authentication in AdonisjsExplore how missing authentication in AdonisJS relates to ISO 27001 access control requirements, and apply concrete AdonHipaa: Missing Authentication in AdonisjsExplore how missing authentication in Adonisjs APIs can create HIPAA risks. Learn concrete Adonisjs fixes and see how miCis: Missing Authentication in AdonisjsExplore Missing Authentication risks in Adonisjs APIs. Understand how missing guards enable IDOR and BOLA, and apply conGdpr: Missing Authentication in AdonisjsExplore GDPR risks in Missing Authentication with Adonisjs, and apply concrete Adonisjs-specific fixes with code exampleMissing Authentication in Adonisjs with DynamodbLearn how missing authentication in AdonisJS with DynamoDB creates BOLA risks and how to remediate with concrete code exMissing Authentication in Adonisjs with CockroachdbmiddleBrick scans AdonisJS APIs with CockroachDB for missing authentication, providing severity-ranked findings and reme