AUTH-006 recommended http-endpoints

Endpoints easily auditable

Routes listable via CLI or centralized files, no dynamic registration

Question to ask

"Can you list every route in this app in under 30 seconds?"

Verification guide

Severity: Recommended

Check automatically:

  1. Use framework CLI to list routes (if available):

    # Laravel
php artisan route:list 2>/dev/null

# Rails
rails routes 2>/dev/null

# Django (with django-extensions)
python manage.py show_urls 2>/dev/null

# Symfony
php bin/console debug:router 2>/dev/null

# Phoenix/Elixir
mix phx.routes 2>/dev/null

  2. Check if routes are centralized or scattered:

    # Count files containing route definitions
grep -rl "app\.\(get\|post\|put\|patch\|delete\)\|router\.\(get\|post\|put\|patch\|delete\)" \
  --include="*.ts" --include="*.js" . 2>/dev/null | grep -v node_modules | wc -l

# List route files
grep -rl "app\.\(get\|post\|put\|patch\|delete\)\|router\.\(get\|post\|put\|patch\|delete\)" \
  --include="*.ts" --include="*.js" . 2>/dev/null | grep -v node_modules

  3. Check for route index or manifest:

    # Look for centralized route registration
find . -type f \( -name "routes.ts" -o -name "routes.js" -o -name "router.ts" -o -name "index.ts" -path "*/routes/*" \) \
  -not -path "*/node_modules/*" 2>/dev/null

  4. For file-based routing (Next.js, Nuxt, SvelteKit):

    # List API route structure
find . -type f -path "*/api/*" \( -name "*.ts" -o -name "*.js" \) -not -path "*/node_modules/*" 2>/dev/null | sort

Pass criteria:

  • Framework CLI lists all routes, OR
  • All endpoints can be listed in under 2 minutes of code reading
  • Routes are centralized or follow predictable file-based pattern
  • No hidden endpoints (registered dynamically at runtime from config/DB)

Fail criteria:

  • No CLI command and routes scattered across 10+ files
  • Endpoints registered dynamically (hard to audit statically)
  • Cannot produce complete endpoint list from code or CLI

If routes are scattered, ask user: "Routes are spread across [X] files with no CLI listing. Is there a route manifest or way to list all endpoints? Dynamic route registration makes security audits difficult."

Evidence to capture:

  • Route listing method (CLI command, file-based, or manual grep)
  • Complete list of endpoints found
  • Any dynamic/runtime route registration detected

Section

03. Authentication & Endpoints

Infrastructure & Setup

← Previous

AUTH-005

All endpoints documented

 Next →

AUTH-007

Endpoints follow auth best practices