GuardAPI Logo
GuardAPI
GuardAPI Logo GuardAPI
System Status
Operational

Fix Insufficient Logging & Monitoring in AdonisJS

Insufficient logging is a gift to an adversary. If you aren't logging auth failures, privilege escalations, and input validation bypasses with context, you're flying blind while your infra burns. In AdonisJS, relying on console.log or ignoring exceptions is a critical fail. To stop being a ghost in your own machine, you need structured, persistent telemetry that feeds into a SIEM for real-time alerting.

The Vulnerable Pattern

// app/Controllers/Http/AuthController.ts
async login({ request, auth, response }) {
  const { email, password } = request.all()
  try {
    await auth.use('web').attempt(email, password)
    return response.redirect('/dashboard')
  } catch (error) {
    // VULNERABILITY: Silent failure or generic console.log provides no audit trail
    // Attackers can brute-force or credential stuff without detection
    return response.badRequest('Invalid credentials')
  }
}

The Secure Implementation

The secure implementation leverages the AdonisJS Logger provider to generate structured JSON logs. By capturing the actor (email), source (IP), and event outcome (success/failure), we create an immutable audit trail. This allows security teams to monitor for 'M of N' failures (e.g., 100 failed logins in 1 minute), which is the primary indicator of a brute-force attack. Ensure your 'config/logger.ts' is configured to stream these logs to a centralized collector like ELK, Datadog, or CloudWatch rather than just local files that can be wiped by an intruder.

// app/Controllers/Http/AuthController.ts
import Logger from '@ioc:Adonis/Core/Logger'

async login({ request, auth, response }) {
const { email } = request.all()
const metadata = {
ip: request.ip(),
userAgent: request.header(‘user-agent’),
event: ‘authentication’
}


try {
await auth.use(‘web’).attempt(email, request.input(‘password’))
Logger.info(‘Successful login’, { …metadata, email, status: ‘success’ })
return response.redirect(‘/dashboard’)
} catch (error) {
// SECURE: Structured logging with context for SIEM ingestion
Logger.warn(‘Failed login attempt’, {
…metadata,
email,
status: ‘failure’,
reason: error.code || ‘E_INVALID_AUTH_PASSWORD’
})
return response.badRequest(‘Invalid credentials’)
}
}

Protect your AdonisJS API

Don't rely on manual checks. GuardAPI's Gemini 3 Pro engine detects Insufficient Logging & Monitoring and logic flaws in seconds.

Run Automated Audit

Verified by Ghost Labs Security Team

This content is continuously validated by our automated security engine and reviewed by our research team. Ghost Labs analyzes over 500+ vulnerability patterns across 40+ frameworks to provide up-to-date remediation strategies.

About GuardLabs → Follow us on X