Type Confusion in Feathersjs with Basic Auth

Type confusion in FeathersJS when Basic Auth is used arises when the framework or application code treats a value of one type as another, often because the authentication layer passes user-controlled data into service logic without strict type checks. For example, a user ID coming from Basic Auth credentials might be used both as a string identifier and later interpreted as an object or numeric index. FeathersJS services commonly receive the authenticated user object via hooks, and if a hook assumes a property is a string or number but receives a different type, it can lead to incorrect authorization checks or unsafe data access.

Consider a hook that extracts userId from params.account (populated by Basic Auth) and uses it to build a query filter. If userId is unexpectedly an object or an array due to malformed input, a direct equality check like user.id === userId can produce unpredictable results because JavaScript’s equality performs type coercion, potentially allowing a different user’s ID to match incorrectly. This can lead to BOLA/IDOR where one user accesses another’s resources because the type confusion bypasses intended access controls.

When combined with Basic Auth, the risk is introduced at the point where credentials are parsed and transformed into the authenticated user object. If the parsing logic does not enforce strict types—for example, accepting numeric IDs as strings and later using them in object contexts without conversion—an attacker can manipulate the credentials (e.g., by sending crafted headers or exploiting a proxy that alters the Authorization header) to cause type confusion downstream. OpenAPI/Swagger spec analysis can highlight mismatches between the declared parameter types and runtime usage, but only runtime behavior will expose whether type confusion leads to unauthorized data access.

Real-world patterns include using the authenticated user payload in a before hook to filter results. If the hook does not validate that params.query.userId is a string or number, and instead passes it directly into a find query, the service might return records belonging to other users. This aligns with OWASP API Top 10:2023 Broken Object Level Authorization, where insufficient filtering enables horizontal privilege escalation. The vulnerability is not in Basic Auth itself, but in how FeathersJS application code handles the authenticated identity when types are not rigorously enforced.

To detect such issues, middleBrick runs 12 security checks in parallel, including Authentication, BOLA/IDOR, and Input Validation, scanning unauthenticated endpoints and analyzing OpenAPI specs with full $ref resolution. It cross-references spec definitions with runtime findings to highlight mismatches between declared types and observed behavior, helping identify where type confusion may exist in FeathersJS services using Basic Auth.

Remediation focuses on strict type validation and defensive handling of authenticated user data in FeathersJS hooks. Always validate and sanitize values extracted from Basic Auth before using them in queries or comparisons. Below are concrete code examples showing secure patterns.

Example 1: Strict type checking in a before hook

const { iff, isProvider, preventChanges } = require('feathers-hooks-common');

function ensureUserIdType() {
  return (context) => {
    const { user } = context.params.auth || {};
    if (user && user.id !== undefined) {
      const id = Number(user.id);
      if (!Number.isInteger(id) || id <= 0) {
        throw new Error('Invalid user ID type');
      }
      // Use the validated numeric ID in queries
      context.params.query = context.params.query || {};
      context.params.query.userId = id;
    }
    return context;
  };
}

module.exports = {
  before: {
    all: [iff(isProvider('external'), preventChanges(['id'])), ensureUserIdType()]
  }
};

This hook ensures that user.id is explicitly converted to a number and validated before being used, preventing type confusion with strings or objects.

Example 2: Safe query construction with type guards

app.service('messages').hooks({
  before: {
    find: [context => {
      const { userId } = context.params.query;
      if (userId !== undefined) {
        const parsed = parseInt(userId, 10);
        if (!Number.isNaN(parsed)) {
          context.params.query.userId = parsed;
        } else {
          throw new Error('userId must be a valid integer');
        }
      }
      return context;
    }]
  }
});

Here, the incoming userId is parsed and validated before the service executes, ensuring the query filter uses a consistent type and avoids coercion issues.

Example 3: FeathersJS authentication with Basic Auth and typed user object

const authentication = new Authentication();
app.configure(authentication);

app.use('/users', new UserService({}));

// Basic Auth hook that normalizes user identity to known types
app.service('authentication').hooks({
  before: {
    create: [authentication.hooks.authenticate(['local'])],
    after: [context => {
      const { user } = context.result;
      if (user && user.id !== undefined) {
        context.result.user.id = Number(user.id);
      }
      return context;
    }]
  }
});

This configuration ensures that after authentication, the user ID is normalized to a number, reducing the chance of type confusion in downstream hooks and services.

middleBrick’s CLI can be used to scan endpoints and validate these patterns. Run middlebrick scan <url> from terminal to get a report that includes checks for Authentication and Input Validation. The Pro plan adds continuous monitoring and GitHub Action integration to fail builds if risk scores drop, while the MCP Server lets you scan APIs directly from your AI coding assistant to catch type handling issues early.