Missing Authentication in Feathersjs with Basic Auth
Missing Authentication in Feathersjs with Basic Auth — how this specific combination creates or exposes the vulnerability
FeathersJS is a framework for real-time web applications and REST APIs. When Basic Auth is used for authentication, the framework expects credentials to be validated on each request. Missing or incomplete authentication enforcement in FeathersJS services means endpoints are accessible without any credentials. A scan performed by middleBrick tests the unauthenticated attack surface and flags this as a Missing Authentication finding.
Basic Auth transmits credentials in an Authorization header as base64-encoded, easily decoded text. If a FeathersJS service does not verify the presence and correctness of that header, an unauthenticated attacker can directly call the service. middleBrick’s Authentication check specifically tests whether endpoints return data without valid credentials. This can expose sensitive data or allow unauthorized actions, which would be reflected in the security risk score and detailed findings returned by the scanner.
In FeathersJS, services are typically defined in files under src/services. If a service does not define an authentication strategy or if the hook that enforces authentication is omitted or misconfigured, the route remains open. For example, a service that lacks an authentication setting or a hook that checks for a valid token will accept requests regardless of credentials. middleBrick’s OpenAPI/Swagger analysis can detect missing security schemes or scopes in the spec, while runtime checks verify whether those definitions are enforced, highlighting discrepancies between declared and actual security posture.
An unauthenticated FeathersJS endpoint may return sensitive information such as user lists, internal identifiers, or configuration details. When combined with other issues like BOLA/IDOR, Missing Authentication can significantly increase impact. middleBrick’s 12 parallel security checks evaluate this risk in combination with other vectors, ensuring findings are contextual and prioritized by severity.
Real-world attack patterns include simple curl calls or browser-based requests to endpoints like /users or /messages. Because Basic Auth credentials are easily extracted from requests, missing enforcement effectively removes a critical layer of protection. middleBrick reports these findings with remediation guidance, helping teams understand exactly where authentication enforcement is missing or incomplete.
Basic Auth-Specific Remediation in Feathersjs — concrete code fixes
To secure a FeathersJS service with Basic Auth, you must configure authentication at the application or service level and ensure every relevant hook validates credentials. Below is a minimal, working example that demonstrates proper setup using the @feathersjs/authentication and @feathersjs/authentication-local packages.
const feathers = require('@feathersjs/feathers');
const express = require('@feathersjs/express');
const authentication = require('@feathersjs/authentication');
const local = require('@feathersjs/authentication-local');
const app = express(feathers());
app.configure(authentication({
secret: 'your-super-secret',
path: '/authentication',
service: 'users',
entity: 'user',
paginate: {
default: 10,
max: 50
}
}));
app.use('/authentication', local());
app.use('/messages', {
async find(params) {
// This will be protected by the authentication hook below
return [{ text: 'Hello, authenticated user' }];
}
});
// Enforce authentication on the messages service
app.service('messages').hooks({
before: {
all: [ authentication.hooks.authenticate('jwt') ],
find: []
},
after: {},
error: {},
always: {}
});
In this example, the call to authentication.hooks.authenticate('jwt') ensures that requests to /messages include a valid JWT. However, when using Basic Auth, you should authenticate with the 'local' strategy instead of 'jwt'. The following snippet shows how to enforce Basic Auth specifically:
app.service('messages').hooks({
before: {
all: [ authentication.hooks.authenticate('local') ],
find: []
},
after: {},
error: {},
always: {}
});
Additionally, ensure that the authentication configuration includes the correct entity and that the users service implements the necessary hooks to validate username and password. If you only want to enforce authentication on certain methods, adjust the hook targets accordingly, for example:
app.service('messages').hooks({
before: {
find: [ authentication.hooks.authenticate('local') ],
create: [] // public creation allowed if needed
},
after: {},
error: {},
always: {}
});
When using Basic Auth, credentials are passed in the Authorization header as Basic base64(username:password). FeathersJS with the local strategy will verify those credentials against your user store. If credentials are missing or invalid, the service should return a 401 response. middleBrick’s Authentication check validates that such responses are returned for unauthenticated requests, confirming that enforcement is correctly configured.
For services that should remain public, do not add the authentication hook. For services that require strict access control, always include the hook and ensure the authentication configuration is applied at the app level. middleBrick’s dashboard and CLI allow you to rescan after changes to confirm that the risk score improves and that findings related to Missing Authentication are cleared.
Related CWEs: authentication
| CWE ID | Name | Severity |
|---|---|---|
| CWE-287 | Improper Authentication | CRITICAL |
| CWE-306 | Missing Authentication for Critical Function | CRITICAL |
| CWE-307 | Brute Force | HIGH |
| CWE-308 | Single-Factor Authentication | MEDIUM |
| CWE-309 | Use of Password System for Primary Authentication | MEDIUM |
| CWE-347 | Improper Verification of Cryptographic Signature | HIGH |
| CWE-384 | Session Fixation | HIGH |
| CWE-521 | Weak Password Requirements | MEDIUM |
| CWE-613 | Insufficient Session Expiration | MEDIUM |
| CWE-640 | Weak Password Recovery | HIGH |