Open Redirect in Adonisjs with Basic Auth

An open redirect in Adonisjs when Basic Auth is used can arise when an authenticated handler redirects to a URL derived from user-controlled input without strict validation. Even with credentials verified, an attacker who can influence the redirect target may steer the client to a malicious site. This typically occurs when code reads a query parameter or header (e.g., redirect_to) and passes it directly to a redirect helper such as response.redirect or urlBuilder.redirect. Because Basic Auth protects the endpoint, developers may assume the request is trustworthy, inadvertently allowing an authenticated open redirect.

Consider an authenticated route that intends to send users to a dashboard. If the target is taken from the request without validating it against an allowlist or ensuring it is a relative path, an attacker with valid credentials can supply a full external URL (e.g., https://evil.example.com). The response will include a 302 with that URL in the Location header, and the browser will navigate away, potentially leaking session cookies or tokens if the attacker also manages authentication via phishing. This becomes a social vector: an email or link that appears to come from a trusted origin can trick users.

Adonisjs does not inherently treat Basic Auth as making redirects safe. The framework validates credentials, but if the application logic does not sanitize the destination, the authenticated route remains vulnerable. Attack patterns include phishing, session fixation via external domains, and abuse of referrer headers that may leak sensitive path information. The risk is compounded if the Basic Auth realm exposes administrative endpoints, because the redirect can appear within a privileged context.

Real-world indicators that an open redirect exists in this configuration include inconsistent handling of absolute versus relative URLs, missing validation on parameters named next, return, or redirect_to, and tests that show a 302 to an external host when a valid username and password are supplied. Because the authentication layer succeeds, standard unauthenticated scans may underestimate the exposure; the issue is only reachable after credentials are provided, making it an authenticated-path open redirect that still qualifies under the broader OWASP API Top 10 for broken access control when authorization checks are incomplete.

To remediate open redirects in Adonisjs with Basic Auth, enforce allowlisting or strict relative-path validation before issuing any redirect. Never trust parameters such as redirect_to, next, or return. Use Adonisjs built-in URL helpers and explicit logic to ensure the destination is safe.

Example of vulnerable code to avoid:

import { HttpContextContract } from '@ioc:Adonis/Core/HttpContext'

export default class AuthController {
  public async login({ request, response }: HttpContextContract) {
    const { username, password, redirect_to } = request.all()
    // Basic Auth verification omitted for brevity
    if (/* credentials valid */) {
      // Vulnerable: redirect_to can be an external URL
      return response.redirect(redirect_to)
    }
  }
}

Secure alternative using a relative allowlist:

import { HttpContextContract } from '@ioc:Adonis/Core/HttpContext'

export default class AuthController {
  public async login({ request, response }: HttpContextContract) {
    const { username, password, redirect_to } = request.only(['username', 'password', 'redirect_to'])
    // Basic Auth verification omitted for brevity
    if (/* credentials valid */) {
      // Allow only known safe paths
      const allowed = new Set(['/dashboard', '/profile', '/settings'])
      const destination = allowed.has(redirect_to) ? redirect_to : '/dashboard'
      return response.redirect(destination)
    }
  }
}

Another robust pattern is to resolve against the request host, ensuring the target remains within your application:

import { HttpContextContract } from '@ioc:Adonis/Core/HttpContext'
import { UrlBuilder } from '@ioc:Adonis/Core/Url'

export default class AuthController {
  public async login({ request, response, url }: HttpContextContract) {
    const { username, password, redirect_to } = request.only(['username', 'password', 'redirect_to'])
    // Basic Auth verification omitted for brevity
    if (/* credentials valid */) {
      let destination = '/dashboard'
      if (redirect_to) {
        // Ensure redirect_to is a relative path without protocol-relative or host components
        const isRelative = redirect_to.startsWith('/') && !redirect_to.startsWith('//')
        const hasNoProtocol = redirect_to.indexOf('://') === -1
        if (isRelative && hasNoProtocol) {
          destination = redirect_to
        }
      }
      // Use url.resolve to construct an absolute path on the same host
      const resolved = new URL(destination, request.url()).toString()
      return response.redirect(resolved)
    }
  }
}

When using the CLI (middlebrick scan <url>) or the Web Dashboard, you can verify that authenticated endpoints with redirect parameters are tested for open redirect behavior. If you have continuous monitoring enabled via the Pro plan, such findings can be surfaced on a configurable schedule, and the GitHub Action can fail builds if a redirect validation issue is detected in CI/CD. The MCP Server in your AI coding assistant can also surface these patterns during development, helping you catch insecure redirects before they reach production.

When an OpenAPI/Swagger spec (2.0, 3.0, or 3.1) is provided, middleBrick resolves full $ref chains and cross-references definitions with runtime observations. If a path includes a redirect response (e.g., 302) with a non-static location derived from parameters, the scanner can flag this as a potential open redirect during the unauthenticated or authenticated scan phases. Note that authentication steps such as Basic Auth must be supplied separately if required; the scanner reports the finding and maps it to relevant compliance frameworks like OWASP API Top 10 and SOC2. The dashboard and CLI JSON output include per-category breakdowns so you can prioritize remediation.