Security Misconfiguration in Feathersjs with Api Keys

FeathersJS is a framework for real-time JavaScript applications that commonly exposes REST and WebSocket endpoints. When API keys are used for authorization but not implemented with strict validation and scope enforcement, the resulting misconfiguration can allow unauthorized access to protected resources. This typically occurs when key verification is applied inconsistently across services or when keys are accepted from untrusted sources without proper checks.

For example, if a FeathersJS service does not validate the presence and correctness of an API key before querying data, an attacker can craft requests with arbitrary or missing keys and still receive responses. This can expose sensitive data or enable actions that should be restricted to particular clients or services. A common pattern is to read the key from headers or query parameters and pass it directly to business logic without verifying ownership or intended permissions.

Another misconfiguration arises when API keys are accepted in multiple locations, such as headers, cookies, and query parameters, without a consistent enforcement strategy. If one channel lacks validation, an attacker can use that weaker path to bypass intended restrictions. Additionally, failing to associate keys with specific scopes or roles can permit privilege escalation, where a key intended for read-only operations is used to modify data.

FeathersJS hooks and middleware can inadvertently propagate keys without appropriate checks, especially when services are composed. If a key is trusted after initial validation but reused across multiple service calls without re-verification, an attacker who obtains a key may leverage it beyond its intended lifecycle or scope. These issues are amplified when services share a common key store or configuration without clearly defined boundaries.

Insecure transmission or storage of keys also contributes to misconfiguration. If keys are logged, exposed in error messages, or transmitted over unencrypted channels, they can be intercepted and reused. Without proper key rotation and revocation mechanisms, compromised keys remain valid, enabling persistent unauthorized access.

Remediation focuses on strict validation, scoped permissions, and consistent enforcement across all entry points. Always verify API keys before processing requests and ensure they are tied to defined scopes and roles.

// src/hooks/validate-api-key.js
module.exports = function validateApiKey(options = {}) {
  return async context => {
    const { headers, query } = context.params;
    const providedKey = headers['x-api-key'] || query.api_key;

    if (!providedKey) {
      throw new Error('Unauthorized: API key missing');
    }

    // Example: lookup key against a trusted store (e.g., database or config)
    const validKeys = process.env.VALID_API_KEYS ? process.env.VALID_API_KEYS.split(',') : [];
    if (!validKeys.includes(providedKey)) {
      throw new Error('Forbidden: Invalid API key');
    }

    // Attach metadata for downstream use
    context.params.apiKey = providedKey;
    context.params.scopes = getScopesForKey(providedKey);
    return context;
  };
};

function getScopesForKey(key) {
  const mapping = {
    'key-read-only': ['read:data'],
    'key-full-access': ['read:data', 'write:data', 'manage:users']
  };
  return mapping[key] || [];
}

Apply the hook globally or per-service to enforce key checks on every request:

// src/app.js
const feathers = require('@feathersjs/feathers');
const validateApiKey = require('./hooks/validate-api-key');

const app = feathers();

// Global hook to validate API keys for all services
app.hooks({
  before: {
    all: [validateApiKey()]
  }
});

// Example service with scope-aware behavior
app.use('/data', {
  async find(params) {
    const { scopes } = params;
    if (!scopes.includes('read:data')) {
      throw new Error('Insufficient scope');
    }
    return [{ id: 1, secret: 'restricted' }];
  }
});

For services that require different key policies, define service-specific hooks to enforce distinct validation logic and scope requirements. Avoid accepting keys via multiple channels; standardize on headers and reject keys from cookies or query parameters unless explicitly required and secured.

Rotate keys periodically and implement revocation by maintaining a denylist or versioned key identifiers. Combine API key validation with rate limiting to reduce the impact of compromised keys. Ensure errors do not leak key material or stack traces that could aid an attacker.

middleBrick can detect security misconfigurations around API key usage in FeathersJS applications during unauthenticated scans. By submitting your endpoint to the middleBrick Web Dashboard or using the CLI tool (middlebrick scan <url>), you can identify missing key validation, inconsistent enforcement, and scope-related issues. The scanner checks whether API key–protected endpoints behave correctly when keys are omitted or invalid, and it surfaces findings mapped to frameworks such as OWASP API Top 10.

For continuous assurance, the Pro plan includes continuous monitoring and configurable scans, while the GitHub Action can fail builds if risk scores degrade. Use the MCP Server to run scans directly from your AI coding assistant during development.