Token Replay in Adonisjs

Token replay attacks occur when an authentication token, such as a JWT or session cookie, is accepted by the server for multiple requests without expiration or revocation. In Adonisjs, this typically manifests through stateless JWT usage where the same token can be reused across different user sessions if not properly bound to contextual attributes. Adonisjs applications often rely on the @adonisjs/auth package or custom implementations of JWT verification that lack strict binding to request context. When the verification logic only checks token validity and not usage patterns, an attacker can capture a valid token from one session and replay it to impersonate the original user in another session.

Common attack vectors include using JWTs without nonce or binding to IP address, user agent, or request headers. If the Adonisjs controller does not validate these attributes, the token remains valid and reusable. Additionally, session-based authentication in Adonisjs may be misconfigured to allow multiple concurrent sessions per user without invalidating previous tokens. This can allow an attacker to steal a token from one session and replay it in another, bypassing authentication checks. The risk is heightened when tokens are long-lived, lack rotation policies, or are stored in insecure locations such as local storage.

Token replay can also occur at the application layer when APIs accept tokens in Authorization headers without validating their freshness or usage context. If the backend does not track token usage or enforce single-session semantics, replay becomes trivial. For example, an API endpoint that processes a token without checking recent usage or device fingerprints is vulnerable. This is especially dangerous in APIs serving financial transactions, user profile updates, or administrative actions where a single replayed token can yield high-value impact.

To detect token replay vulnerabilities in Adonisjs APIs, administrators should look for specific code patterns and runtime behaviors. Improper token validation often shows up in controller logic where JWTs are verified using a static secret key without additional context checks. For example, a controller that uses Auth.verifyJwt without checking request headers or user agent is suspicious. Another red flag is when session tokens are not invalidated upon logout or when refresh tokens are not rotated. Additionally, logs showing repeated successful authentications from the same token across different endpoints or user IDs indicate potential replay activity.

Automated scanning with middleBrick can help identify these issues by analyzing API endpoints for insecure authentication patterns. middleBrick performs black-box scanning of unauthenticated Adonisjs endpoints and checks for missing token binding mechanisms. It evaluates whether tokens are tied to IP addresses, user agents, or session identifiers. When middleBrick detects a JWT endpoint that accepts tokens without contextual validation, it flags the endpoint as high risk for token replay and provides actionable findings.

Using the CLI tool, developers can run middlebrick scan http://api.example.com/auth/me to test a protected endpoint. The scan will return a security score and highlight if token reuse is feasible. In the dashboard, teams can track risk scores over time and receive alerts when new replay vulnerabilities are detected. This proactive approach helps teams remediate issues before exploitation.

Remediation of token replay vulnerabilities in Adonisjs requires binding tokens to contextual attributes and enforcing single-session semantics. One effective method is to bind JWTs to the user's IP address or user agent using middleware that validates these attributes on each request. For example, in Adonisjs, you can extend the JWT verification logic to include a nonce or a hash of the request context. Here is a code example using a custom middleware:

const { HttpContext } = use('HttpContext')

class ReplayProtectionMiddleware {
  async handle ({ request, auth }, next) {
    const token = request.headers().get('Authorization')
    if (!token) return next()

    const payload = auth.verifyJwt(token)
    const ipHash = crypto.createHash('sha256').update(request.ip()).digest('hex')
    const userAgentHash = crypto.createHash('sha256').update(request.header('User-Agent')).digest('hex')

    if (payload.context_ip !== ipHash || payload.context_ua !== userAgentHash) {
      return response.unauthorized({ error: 'Token context mismatch' })
    }
    return next()
  }
}

Additionally, Adonisjs supports session management through the @adonisjs/session package. Developers should ensure that each user can only have one active session at a time. When a new login occurs, all previous sessions should be invalidated. This can be implemented in the authentication controller:

const User = use('App/Models/User')

class AuthController {
  async login ({ request, auth }, response) {
    const { email, password } = request.all()
    const user = await User.verifyCredentials(email, password)
    if (!user) return response.unauthorized()

    const token = auth.generateTokenForUser(user)
    await User.query().where('id', user.id).update({ current_token_id: token.id })

    // Revoke previous tokens
    await User.query().where('current_token_id', null).orWhere('current_token_id', '')
    .update({ current_token_id: null })

    return response.ok({ token })
  }
}

These practices ensure that tokens are not reusable across different contexts or sessions, significantly reducing the risk of token replay attacks in Adonisjs APIs.