Missing Tls in Adonisjs with Basic Auth
Missing Tls in Adonisjs with Basic Auth — how this specific combination creates or exposes the vulnerability
Transport Layer Security (TLS) is a baseline network security control that protects data in transit. When an AdonisJS application uses HTTP Basic Authentication over unencrypted HTTP, credentials are sent as a base64-encoded string in the Authorization header. Base64 is not encryption; it is easily reversible. Without TLS, any intermediary between the client and server can observe and decode these credentials, leading to clear‑text exposure of usernames and passwords.
The combination of Basic Auth and missing TLS is especially risky in AdonisJS because the framework encourages clean, route‑level handler definitions where authentication logic is explicit. If TLS is omitted, the security checks performed by middleBrick—such as Encryption and Authentication—will flag the endpoint as high risk. middleBrick scans unauthenticated attack surfaces and, among its 12 parallel checks, it tests for missing encryption and for weak authentication schemes like Basic Auth over non‑TLS transports. A scan will detect the absence of TLS and surface the finding under the Encryption category, often mapping to relevant compliance references such as OWASP API Top 10 A02:2023 (Cryptographic Failures) and PCI‑DSS requirements for encrypted transmission of credentials.
Attack patterns enabled by this misconfiguration include credential sniffing on shared or compromised networks, session hijacking when tokens are derived from passwords, and lateral movement if the same credentials are reused across services. Because Basic Auth does not inherently provide replay protection, an adversary who captures the header can replay it to gain unauthorized access. middleBrick’s Authentication and Encryption checks are designed to surface these conditions, providing prioritized findings with severity ratings and remediation guidance rather than attempting to fix the runtime behavior.
Basic Auth-Specific Remediation in Adonisjs — concrete code fixes
To remediate the Missing TLS risk when using HTTP Basic Auth in AdonisJS, you should enforce HTTPS for all routes and avoid sending credentials over unencrypted channels. Below are concrete, syntactically correct code examples showing how to configure TLS in AdonisJS and how to implement Basic Auth securely over HTTPS.
1. Enforce HTTPS in AdonisJS
Ensure your server listens only on HTTPS by providing a valid certificate and key. In an AdonisJS start/server.ts (or the equivalent entry file), use the https module with the AdonisJS server configuration.
import { createServer } from 'node:https';
import { readFileSync } from 'node:fs';
import { Application } from '@adonisjs/core/app';
const app = new Application();
await app.boot();
const server = createServer({
key: readFileSync('path/to/private.key'),
cert: readFileSync('path/to/certificate.crt'),
}, app.callback());
server.listen(443, () => {
console.log('HTTPS server running on port 443');
});
2. Basic Auth over HTTPS with AdonisJS middleware
Implement a middleware that validates the Authorization header only when the request is secure. This example shows a straightforward Basic Auth check that runs after TLS termination.
import { Exception } from '@adonisjs/core/build/standalone';
import { HttpContextContract } from '@ioc:Adonis/Core/HttpContext';
export default class BasicAuthMiddleware {
public async handle({ request, response, auth }: HttpContextContract, next: () => Promise) {
// Ensure the connection is encrypted before validating credentials
if (!request.secure) {
throw new Exception('TLS is required for authenticated requests', 403, 'E_TLS_REQUIRED');
}
const credentials = request.auth?.credentials || null;
if (!credentials || credentials.username !== 'admin' || credentials.password !== 'S3cur3P@ss!') {
response.header('WWW-Authenticate', 'Basic realm="Secure Area"');
throw new Exception('Invalid credentials', 401, 'E_INVALID_CREDENTIALS');
}
await next();
}
}
3. Route registration with middleware
Apply the middleware to routes that require protection. This ensures that only requests over HTTPS with valid Basic Auth credentials are allowed to proceed.
import Route from '@ioc:Adonis/Core/Route';
import BasicAuthMiddleware from 'App/Middleware/BasicAuth';
Route.group(() => {
Route.get('/admin', async () => {
return { message: 'Authenticated over TLS with Basic Auth' };
}).middleware([BasicAuthMiddleware]);
}).prefix('api/v1');
4. Complementary checks with scanning tools
Tools like middleBrick can validate that your endpoints enforce TLS and that Basic Auth is not exposed over HTTP. Its Encryption and Authentication checks, run in parallel with 12 other security assessments, produce a risk score and prioritized findings. The CLI allows you to automate verification—run middlebrick scan <url> to confirm remediation—and the Web Dashboard helps you track improvements over time.
Related CWEs: encryption
| CWE ID | Name | Severity |
|---|---|---|
| CWE-319 | Cleartext Transmission of Sensitive Information | HIGH |
| CWE-295 | Improper Certificate Validation | HIGH |
| CWE-326 | Inadequate Encryption Strength | HIGH |
| CWE-327 | Use of a Broken or Risky Cryptographic Algorithm | HIGH |
| CWE-328 | Use of Weak Hash | HIGH |
| CWE-330 | Use of Insufficiently Random Values | HIGH |
| CWE-338 | Use of Cryptographically Weak PRNG | MEDIUM |
| CWE-693 | Protection Mechanism Failure | MEDIUM |
| CWE-757 | Selection of Less-Secure Algorithm During Negotiation | HIGH |
| CWE-261 | Weak Encoding for Password | HIGH |