AUTH-007 critical http-endpoints

Endpoints follow auth best practices

Default-deny pattern, authorization checks for privileged routes

Question to ask

"Is every new route secure by default, or opt-in?"

Verification guide

Severity: Critical

Check automatically:

  1. Verify all non-public endpoints require auth:

    # Find routes and check for auth middleware
grep -rn "app\.\(get\|post\|put\|patch\|delete\)\|router\.\(get\|post\|put\|patch\|delete\)" \
  --include="*.ts" --include="*.js" . 2>/dev/null | grep -v node_modules | head -30

# Look for auth middleware patterns
grep -rn "isAuthenticated\|requireAuth\|authMiddleware\|protect\|authenticate\|@UseGuards\|@Authorized" \
  --include="*.ts" --include="*.js" . 2>/dev/null | grep -v node_modules

  2. Check for default-deny pattern (auth required unless explicitly public):

    # Look for global auth middleware applied
grep -rn "app\.use.*auth\|app\.use.*protect\|app\.use.*authenticate" \
  --include="*.ts" --include="*.js" . 2>/dev/null | grep -v node_modules

# Look for public route allowlist pattern
grep -rn "publicRoutes\|whitelist\|excludeRoutes\|isPublic" \
  --include="*.ts" --include="*.js" . 2>/dev/null | grep -v node_modules

  3. Check for authorization (not just authentication):

    # Role/permission checks
grep -rn "hasRole\|hasPermission\|isAdmin\|canAccess\|@Roles\|authorize" \
  --include="*.ts" --include="*.js" . 2>/dev/null | grep -v node_modules

  4. Review a sample of protected endpoints:

    • Read 3-5 sensitive endpoints (user data, admin, payments)
    • Verify auth check happens before any business logic

Cross-reference with:

  • AUTH-001: Auth flow should show where checks happen
  • AUTH-006: Use endpoint list to identify what needs protection

Pass criteria:

  • Default-deny pattern (global auth, explicit public routes), OR
  • All sensitive endpoints have explicit auth middleware
  • Authorization checks exist for role-restricted endpoints
  • No sensitive endpoints unprotected

Fail criteria:

  • Sensitive endpoints without auth middleware
  • Default-allow pattern (no global auth, must remember to add per-route)
  • Authentication only, no authorization for admin/privileged routes

If default-allow pattern, ask user: "Auth is applied per-route rather than globally. How do you ensure new endpoints aren't accidentally left unprotected?"

Evidence to capture:

  • Auth pattern (default-deny vs default-allow)
  • Sample of protected endpoints reviewed
  • Any unprotected sensitive endpoints found

Section

03. Authentication & Endpoints

Infrastructure & Setup

← Previous

AUTH-006

Endpoints easily auditable

 Next →

AUTH-008

Fail fast - no heavy work before auth validation