Phishing Api Keys in Adonisjs with Mutual Tls

Mutual TLS (mTLS) in AdonisJS ensures that both the client and the server present certificates during the TLS handshake, which strongly authenticates the client. However, this setup does not automatically protect API keys used for application-level authorization. Developers may mistakenly treat mTLS as sufficient authentication and embed API keys in requests or store them in locations that are inadvertently exposed.

One common phishing scenario involves an attacker constructing a malicious endpoint that accepts mTLS connections but does not properly validate client certificates. If an AdonisJS application retrieves an API key from a configuration file or environment variable and forwards it to such an endpoint, the key can be phished even when mTLS is in use. For example, a compromised service or a malicious proxy that terminates mTLS and forwards traffic to an untrusted backend can capture the key during processing.

Another risk arises from log files and error messages. AdonisJS applications that log outgoing request details might inadvertently record API keys if developers do not sanitize headers and payloads. An attacker with access to logs or error reporting systems can harvest these keys. Additionally, if an AdonisJS application uses API keys in query parameters or URL paths, these keys can be leaked via browser history, server logs, or referrer headers when the application makes requests to external services over mTLS.

SSRF (Server-Side Request Forgery) further compounds the risk. An attacker might trick an AdonisJS server configured with mTLS into making requests to internal services, where API keys are often stored or used. Even with client certificate verification, if the application does not enforce strict endpoint allowlists, the keys can be exfiltrated through the compromised internal call path.

To detect these issues, middleBrick scans the unauthenticated attack surface of an AdonisJS endpoint using 12 security checks, including Authentication, Input Validation, Data Exposure, and SSRF. The scan cross-references OpenAPI/Swagger specifications with runtime behavior, identifying places where API keys might be mishandled despite mTLS. For example, if an endpoint accepts requests without requiring client certificate validation on the server side, or if API keys appear in query strings or logs, middleBrick flags these as high-severity findings with remediation guidance.

By combining mTLS with strict input validation, secure handling of secrets, and avoidance of logging sensitive data, AdonisJS developers can reduce the risk of API key phishing. middleBrick’s LLM/AI Security checks add another layer by testing for prompt injection and system prompt leakage, ensuring that AI integrations do not expose keys through generated output.

Remediation focuses on enforcing strict certificate validation and secure handling of API keys within the AdonisJS application. Below are concrete code examples demonstrating how to configure mTLS in AdonisJS using the built-in HTTP client and server-side request handling.

1. Configure the HTTP client to present a client certificate

When your AdonisJS application makes outbound mTLS requests, explicitly provide the client certificate and key. This prevents fallback to unauthenticated connections and ensures the server can verify your client identity.

import { Http } from '@adonisjs/core/providers/http'

export default class AppProvider {
  public async register() {
    const http = new Http()
    http.client.config.httpsAgentOptions = {
      cert: '/path/to/client-cert.pem',
      key: '/path/to/client-key.pem',
      ca: '/path/to/ca-bundle.pem',
    }
    // Use http client for secure calls
    const response = await http.get('https://api.external.com/endpoint')
  }
}

2. Enforce client certificate validation on incoming requests (if you act as a server)

If your AdonisJS application receives mTLS requests, configure the HTTPS server to require and verify client certificates. This ensures only authorized clients can connect.

import { HttpServer } from '@adonisjs/core/providers/http'

export default class AppProvider {
  public async configureServer(server: HttpServer) {
    server.ssl = {
      cert: '/path/to/server-cert.pem',
      key: '/path/to/server-key.pem',
      ca: '/path/to/ca-bundle.pem',
      requestCert: true,
      rejectUnauthorized: true,
    }
  }
}

3. Avoid logging or exposing API keys

Ensure API keys are not included in logs, error messages, or URLs. Use environment variables and secure secret management, and sanitize any outgoing data.

import { Env } from '@adonisjs/core'

const apiKey = Env.get('EXTERNAL_API_KEY')
// Never log apiKey
// Instead, pass it securely in headers
await http.get('https://api.external.com/data', {
  headers: { Authorization: `Bearer ${apiKey}` },
})

4. Validate and restrict outbound endpoints

Implement strict allowlists for outbound requests to prevent SSRF and ensure API keys are only sent to trusted services.

import { Http } from '@adonisjs/core/providers/http'

const ALLOWED_HOSTS = ['api.trusted.com', 'api.anothertrusted.com']

export async function callTrustedApi(path: string) {
  const url = new URL(path, 'https://api.trusted.com')
  if (!ALLOWED_HOSTS.includes(url.hostname)) {
    throw new Error('Request to unauthorized host')
  }
  const http = new Http()
  const response = await http.get(url.toString(), {
    headers: { Authorization: `Bearer ${process.env.EXTERNAL_API_KEY}` },
  })
  return response.json()
}

5. Use middleBrick to validate your configuration

Run a middleBrick scan against your AdonisJS endpoints to verify that mTLS is correctly configured and that API keys are not exposed in logs, query parameters, or error responses. The scan will highlight issues in Authentication, Input Validation, Data Exposure, and SSRF, providing prioritized findings and remediation guidance.

middleBrick’s CLI allows you to integrate scans into scripts or CI/CD pipelines, ensuring continuous verification of your mTLS and API key handling practices.