Replay Attack in Chi with Cockroachdb

A replay attack in the context of a Chi web service backed by Cockroachdb involves an attacker capturing a valid HTTP request—typically one that is authenticated or carries an idempotent business action—and re-sending it later to produce an unintended effect. Because Chi is a routing library for Clojure, the risk is not in the database protocol itself but in how endpoints are modeled and how session or token handling interacts with Cockroachdb-stored data. Cockroachdb, as a distributed SQL database, does not inherently prevent replay; it faithfully applies transactions and serializable isolation, so any uniqueness guard (such as a request identifier or a version column) must be enforced at the application level.

Consider a payment or state-changing endpoint implemented with Chi, where a client first obtains a short-lived JWT and then submits a POST to /api/transfer. If the server does not enforce exactly-ono semantics—such as by checking a client-supplied idempotency key against a Cockroachdb table before committing—the same request can be replayed with the same key or a manipulated payload. An attacker who observes a legitimate request (e.g., via a compromised network segment or log exposure) can replay it to transfer funds again, create duplicate orders, or elevate permissions. The vulnerability is not caused by Cockroachdb but by missing checks in Chi handlers that would detect duplicate identifiers or non-idempotent operations.

Another vector arises from unsafe use of timestamps or nonces. If a Chi route uses a timestamp as part of a request signature without ensuring monotonicity or freshness in Cockroachdb, an attacker can reuse a recent signed request within the validity window. Cockroachdb’s serializable isolation helps avoid lost-update anomalies, but it does not stop a replay unless the application writes a uniqueness constraint (such as a unique row in an idempotency table) and checks it transactionally before performing side effects. Without this, the database will apply the same write multiple times if the application logic allows it.

In secure design, idempotency keys should be stored in a dedicated table in Cockroachdb with a uniqueness constraint, and each Chi handler should run a transaction that checks for the key’s existence before proceeding. This shifts the burden from infrastructure to the application layer, because Cockroachdb will enforce uniqueness but will not decide when to skip or reject a request. The combination of Chi’s flexible routing and Cockroachdb’s strong consistency makes it easy to build correct behavior when the patterns are followed, but omitting explicit checks exposes the service to replay.

To mitigate replay in Chi with Cockroachdb, implement idempotency checks within a serializable transaction. Define a table that stores idempotency keys with a uniqueness constraint, and ensure each state-changing route runs a transaction that conditionally inserts the key before executing the business logic.

(ns myapp.handlers
  (:require [cheshire.core :as json]
            [next.jdbc :as jdbc]
            [clojure.java.jdbc :as jdbc]))

(defn insert-idempotency-key! [db {:keys [key user-id created-at] :as payload}]
  (jdbc/with-transaction [t-conn db]
    (try
      ;; This will fail with a unique violation if the key already exists
      (jdbc/execute! t-conn ["INSERT INTO idempotency_keys (idempotency_key, user_id, created_at) VALUES ($1, $2, $3)" key user-id created-at])
      ;; Only proceed if the insert succeeded
      (jdbc/execute! t-conn ["UPDATE accounts SET balance = balance + $1 WHERE user_id = $2" (:amount payload) user-id])
      {:status 200 :body (json/generate-string {:message "success"})}
      (catch Exception e
        (if (= (:class (ex-data e)) :org.postgresql.util.PSQLException)
          {:status 409 :body (json/generate-string {:error "Duplicate idempotency key"})}
          (throw e))))))

;; Chi route using the handler
(declare app)
(def app
  (middleware/wrap-defaults
    (fn [request]
      (let [client-key (get-in request [:headers "Idempotency-Key"])
            user-id (:user-id request) ;; assume authenticated earlier
            amount (:amount (:params request))]
        (when (and client-key user-id amount)
          (insert-idempotency-key! db {:idempotency_key client-key :user-id user-id :created-at (java.time.Instant/now) :amount amount}))))
    middleware/wrap-defaults))

The above pattern ensures that for a given idempotency key, only one transaction succeeds in Cockroachdb; concurrent or replayed requests receive a 409 Conflict. The table schema should include a uniqueness constraint on idempotency_key and a TTL or cleanup policy to avoid unbounded growth.

For endpoints that cannot rely on client-provided keys, use server-side nonces stored in Cockroachdb with a uniqueness constraint and a short validity window. The Chi handler should first validate the nonce within the same transaction that performs the write, rejecting duplicates immediately. This approach aligns with best practices around OWASP API Top 10:2023 (2023-A05 Security Misconfiguration and A07:2023 Identification and Authentication Failures) by enforcing strict uniqueness and checking before state changes.

Additionally, ensure that tokens or signatures are validated for freshness (e.g., "iat" and "exp" claims in JWTs) and that replay windows are bounded. While Cockroachdb provides strong consistency, the application must still enforce these rules; middleBrick scans can help identify missing idempotency controls in your API surface by correlating spec definitions with runtime behavior.