require-auth-mechanism
Requires explicit authentication mechanism specification for MongoDB connections.
Keywords: CWE-287, authentication, SCRAM-SHA-256, MongoDB, security
Requires explicit authentication mechanism specification for MongoDB connections.
⚠️ This rule warns by default in the recommended config.
Quick Summary
| Aspect | Details |
|---|---|
| CWE Reference | CWE-287 (Improper Authentication) |
| OWASP | A07:2021 - Identification/Auth Failures |
| Severity | Medium (CVSS: 6.5) |
| Category | Security |
Error Message Format
The rule provides LLM-optimized error messages (Compact 2-line format) with actionable security guidance:
🔒 CWE-287 OWASP:A07 CVSS:9.8 | Improper Authentication detected | CRITICAL
Fix: Review and apply the recommended fix | https://owasp.org/Top10/A07_2021/Message Components
| Component | Purpose | Example |
|---|---|---|
| Risk Standards | Security benchmarks | CWE-287 OWASP:A07 CVSS:9.8 |
| Issue Description | Specific vulnerability | Improper Authentication detected |
| Severity & Compliance | Impact assessment | CRITICAL |
| Fix Instruction | Actionable remediation | Follow the remediation steps below |
| Technical Truth | Official reference | OWASP Top 10 |
Rule Details
Explicit authentication mechanism ensures:
- No fallback to weaker mechanisms
- Clear security configuration
- Defense against downgrade attacks
❌ Incorrect
// No explicit auth mechanism - may default to legacy SCRAM-SHA-1
mongoose.connect('mongodb://user:pass@host/db');
// Only credentials, no mechanism specified
mongoose.connect(uri, {
user: 'admin',
pass: 'secret',
});✅ Correct
// Explicit SCRAM-SHA-256 (recommended)
mongoose.connect(uri, {
authMechanism: 'SCRAM-SHA-256',
});
// MongoDB Atlas X.509
mongoose.connect(uri, {
authMechanism: 'MONGODB-X509',
tlsCertificateKeyFile: '/path/to/client.pem',
});
// AWS IAM authentication
mongoose.connect(uri, {
authMechanism: 'MONGODB-AWS',
});When Not To Use It
- Development environments with passwordless local MongoDB
- When using MongoDB Atlas with default secure configuration
Known False Negatives
The following patterns are not detected due to static analysis limitations:
Connection String with Auth
Why: URI parsing is not performed; only options object is checked.
// ❌ NOT DETECTED - Auth mechanism in URI
mongoose.connect('mongodb://host/db?authMechanism=SCRAM-SHA-1'); // Weak mechanism in URIMitigation: Use options object for auth mechanism. Validate URIs at startup.
Options from Variable
Why: Variable contents are not analyzed.
// ❌ NOT DETECTED - Options from variable
const opts = { user: 'admin', pass: 'secret' }; // Missing authMechanism
mongoose.connect(uri, opts);Mitigation: Use inline options. Define typed connection config.
Environment-Based Options
Why: Environment values are not known at lint time.
// ❌ NOT DETECTED - Options depend on environment
const opts = process.env.USE_X509
? { authMechanism: 'MONGODB-X509' }
: { user: 'admin', pass: 'secret' }; // Fallback has no mechanism!
mongoose.connect(uri, opts);Mitigation: Always include authMechanism in all branches.
Native Driver Direct Use
Why: Only Mongoose patterns are recognized by default.
// ❌ NOT DETECTED - Native driver
import { MongoClient } from 'mongodb';
const client = new MongoClient(uri, {
auth: { username: 'admin', password: 'secret' },
});
// Missing authMechanism on native driverMitigation: Configure rule to recognize MongoClient patterns.