Fix Shadow API Exposure in AdonisJS

Shadow APIs in AdonisJS are the silent killers of your attack surface. They occur when developers rely on broad 'Route.resource' declarations without limiting methods, inadvertently exposing sensitive CRUD operations like 'destroy' or 'update' to the public. If it's in your code but not in your documentation, it's a Shadow API, and it's a goldmine for unauthorized data exfiltration or state manipulation.

The Vulnerable Pattern

/* start/routes.ts */
// Danger: Exposes all 7 RESTful actions (index, create, store, show, edit, update, destroy)
// Even if the controller only has 'index' and 'show' logic, the framework still registers the endpoints.
Route.resource('users', 'UsersController')

The Secure Implementation

To kill Shadow APIs in AdonisJS, you must abandon lazy routing. Use the '.only()' or '.except()' modifiers on resources to ensure the router doesn't register unintended paths. Always run 'node ace list:routes' in your CI/CD pipeline to audit the actual exposed surface area. Furthermore, ensure that any method not explicitly documented in your OpenAPI/Swagger spec is either disabled at the router level or protected by a Bouncer policy to prevent 'hidden' functionality from being exploited.

/* start/routes.ts */
Route.group(() => {
  // 1. Explicitly whitelist only required public methods
  Route.resource('users', 'UsersController')
    .only(['index', 'show'])
// 2. Wrap sensitive shadow-prone methods in strict middleware
Route.group(() => {
Route.resource(‘users’, ‘UsersController’)
.only([‘update’, ‘destroy’])
.middleware([‘auth’, ‘acl:admin’])
}).prefix(‘admin’)
}).prefix(‘/api/v1’)