HIGH token leakagechibasic auth

Token Leakage in Chi with Basic Auth

Scan for token leakage in chi

Token Leakage in Chi with Basic Auth — how this specific combination creates or exposes the vulnerability

Token leakage in Chi when using HTTP Basic Authentication occurs when authentication credentials or session tokens are exposed in logs, error messages, URLs, or client-side storage. Chi is a lightweight HTTP framework for Elixir, and while it does not enforce authentication itself, developers commonly implement Basic Auth by manually parsing the Authorization header. When tokens or derived session identifiers are embedded in URLs or passed alongside Basic Auth credentials, they can be inadvertently logged or cached.

For example, if a Chi router forwards requests with query parameters that include tokens, and the development environment logs full request URIs, a misconfigured logger can expose both the Base64-encoded credentials and the token in plaintext log files. An attacker with access to logs can reuse these tokens to impersonate users or escalate privileges.

Insecure default configurations in some Chi-based APIs also contribute to leakage. If CORS headers are too permissive or if HTTPS is not enforced end-to-end, tokens transmitted alongside Basic Auth can be intercepted during transit. Even when TLS is used, poor secret management — such as storing tokens in application environment variables that are also logged — can lead to cross-channel exposure.

Another vector involves error handling. Chi allows developers to define custom error handlers; if these handlers include the connection assigns or request headers in error responses, tokens and credentials can be returned in HTTP responses that are captured by client-side debug tools or browser extensions.

The combination of Basic Auth and token-based sessions requires strict separation of concerns: credentials should be validated once and not persisted in logs or URLs, while tokens should be stored securely and never echoed in responses or error payloads. middleBrick scans detect these patterns by correlating authentication headers with token usage across the unauthenticated attack surface, highlighting endpoints where leakage is likely.

Basic Auth-Specific Remediation in Chi — concrete code fixes

To mitigate token leakage in Chi when using Basic Authentication, ensure credentials and tokens are never combined in logs, URLs, or error responses. Use middleware to strip sensitive headers before logging and avoid passing tokens as query parameters.

Secure Chi Router Example

The following example shows a Chi router that safely handles Basic Authentication without exposing tokens:

defmodule MyApp.Router do
  use Plug.Router

  # Middleware to remove sensitive headers from logs
  plug :remove_sensitive_headers

  plug :match
  plug :dispatch

  get "/api/secure" do
    case authenticate_basic(conn) do
      {:ok, _user} ->
        # Do not include auth headers or tokens in assigns
        send_resp(conn, 200, "Access granted")

      {:error, _reason} ->
        send_resp(conn, 401, "Unauthorized")
    end
  end

  defp authenticate_basic(conn) do
    with [auth_header] <- Plug.Conn.get_req_header(conn, "authorization"),
         {:ok, creds} <- parse_basic_auth(auth_header),
         {:authenticated, user} <- verify_credentials(creds) do
      # Store minimal user info, never store raw credentials or tokens here
      {:ok, user}
    else
      _ -> {:error, :invalid_auth}
    end
  end

  defp parse_basic_auth(auth_header) do
    # Decode "Basic base64(credentials)"
    case Base.decode64(auth_header |> String.replace("Basic ", "")) do
      {:ok, decoded} ->
        [user, pass] = String.split(decoded, ":", parts: 2)
        {:ok, {user, pass}}
      _ ->
        {:error, :invalid_format}
    end
  end

  defp verify_credentials({user, pass}) do
    # Validate credentials against a secure data store
    if MyApp.Auth.valid_user?(user, pass) do
      {:authenticated, user}
    else
      {:error, :invalid_user}
    end
  end

  # Remove sensitive headers before logging
  defp remove_sensitive_headers(conn, _opts) do
    Logger.configure(level: :info, compile_time_purge_level: :info)
    # Ensure no authorization or token headers are logged
    put_private(conn, :plug_logger_handled, true)
  end
end

Operational and Configuration Best Practices

  • Never log the full request URI if it includes tokens; configure Chi’s logger to exclude query strings or sensitive paths.
  • Use environment variables for credentials, but avoid printing them in debug output or crash dumps.
  • Enforce HTTPS via reverse proxy or TLS settings to prevent token interception in transit.
  • Apply the principle of least privilege: tokens issued after Basic Auth validation should have minimal scope and short lifetimes.

middleBrick’s OpenAPI/Swagger analysis can detect whether endpoints mix Basic Auth headers with token parameters in the spec, while runtime checks surface cases where tokens appear in logs or error responses. The scanner correlates findings across the 12 checks, including Authentication, Data Exposure, and Unsafe Consumption, to provide prioritized remediation guidance.

Scan for token leakage in chi Free API security scan

Frequently Asked Questions

Can Chi logs accidentally expose Basic Auth credentials even if I don't log request headers?
Yes. If your logging configuration includes the full request URI and query parameters, tokens or session identifiers passed as query args can be captured alongside credentials. Always sanitize logs and avoid logging the full request path when using Basic Auth.
Does using HTTPS fully prevent token leakage with Basic Auth in Chi?
HTTPS protects credentials in transit, but it does not prevent leakage from server-side logs, error messages, or misconfigured CORS policies. Combine transport security with secure coding practices and header stripping to reduce risk.

Related Pages

Token Leakage in ChiHow token leakage manifests in Chi APIs, detection methods, and Chi-specific remediation techniques to prevent authenticToken Leakage with Basic AuthLearn how Basic Auth credentials leak through logs, error responses, and client storage, plus specific detection methodsToken Leakage in Chi on GcpToken leakage in Chi on Gcp: causes and Gcp-specific fixes with code examples and remediation guidance.Token Leakage in Chi on KubernetesExplore token leakage in Chi on Kubernetes, understand causes, and apply concrete Kubernetes and Chi code fixes to reducToken Leakage in Chi on AwsDetect token leakage in Chi apps using AWS. Learn secure integration patterns, redaction, and compliance mappings.Token Leakage in Chi on FirebaseToken leakage in Chi with Firebase: causes, real code fixes, and how middleBrick detects risks without replacing secure Hipaa: Token Leakage in ChiExplore HIPAA considerations for token leakage in Chi APIs, with Chi-specific remediation code examples and how middleBrGdpr: Token Leakage in ChiExplore GDPR risks in token leakage with Chi APIs, including secure examples and remediation steps to prevent data exposIso 27001: Token Leakage in ChiChi template security: ISO 27001 controls to prevent token leakage, code examples showing redaction and safe logging.Cis: Token Leakage in ChiExplore how Cis configurations in Chi applications can lead to token leakage, and learn Chi-specific remediation techniqToken Leakage in Chi with DynamodbToken leakage in Chi with DynamoDB: causes, risks, and DynamoDB-specific fixes using projection expressions, attribute aToken Leakage in Chi with CockroachdbLearn how token leakage occurs in Chi with CockroachDB, and apply concrete code fixes to protect authentication tokens.