Fix Insufficient Logging & Monitoring in AdonisJS
Insufficient logging is a gift to an adversary. If you aren't logging auth failures, privilege escalations, and input validation bypasses with context, you're flying blind while your infra burns. In AdonisJS, relying on console.log or ignoring exceptions is a critical fail. To stop being a ghost in your own machine, you need structured, persistent telemetry that feeds into a SIEM for real-time alerting.
The Vulnerable Pattern
// app/Controllers/Http/AuthController.ts
async login({ request, auth, response }) {
const { email, password } = request.all()
try {
await auth.use('web').attempt(email, password)
return response.redirect('/dashboard')
} catch (error) {
// VULNERABILITY: Silent failure or generic console.log provides no audit trail
// Attackers can brute-force or credential stuff without detection
return response.badRequest('Invalid credentials')
}
}The Secure Implementation
The secure implementation leverages the AdonisJS Logger provider to generate structured JSON logs. By capturing the actor (email), source (IP), and event outcome (success/failure), we create an immutable audit trail. This allows security teams to monitor for 'M of N' failures (e.g., 100 failed logins in 1 minute), which is the primary indicator of a brute-force attack. Ensure your 'config/logger.ts' is configured to stream these logs to a centralized collector like ELK, Datadog, or CloudWatch rather than just local files that can be wiped by an intruder.
// app/Controllers/Http/AuthController.ts import Logger from '@ioc:Adonis/Core/Logger'async login({ request, auth, response }) { const { email } = request.all() const metadata = { ip: request.ip(), userAgent: request.header(‘user-agent’), event: ‘authentication’ }
try { await auth.use(‘web’).attempt(email, request.input(‘password’)) Logger.info(‘Successful login’, { …metadata, email, status: ‘success’ }) return response.redirect(‘/dashboard’) } catch (error) { // SECURE: Structured logging with context for SIEM ingestion Logger.warn(‘Failed login attempt’, { …metadata, email, status: ‘failure’, reason: error.code || ‘E_INVALID_AUTH_PASSWORD’ }) return response.badRequest(‘Invalid credentials’) } }
Your AdonisJS API
might be exposed to Insufficient Logging & Monitoring
74% of AdonisJS apps fail this check. Hackers use automated scanners to find this specific flaw. Check your codebase before they do.
Free Tier • No Credit Card • Instant Report
Verified by Ghost Labs Security Team
This content is continuously validated by our automated security engine and reviewed by our research team. Ghost Labs analyzes over 500+ vulnerability patterns across 40+ frameworks to provide up-to-date remediation strategies.