保護DataHogo
Security Encyclopedia/Vibecoding Patterns
highCWE-306A01:2021

Endpoints Without Authentication

API routes that perform sensitive operations — reading user data, modifying records, deleting resources — with no session or token verification.

How It Works

Without an auth check, any anonymous HTTP request can trigger your endpoint. Attackers enumerate routes by reading your JavaScript bundle, checking common paths, or using tools like ffuf. Once found, they call the endpoint freely.

Vulnerable Code
// BAD: returns user data with no auth check
export async function GET(req: Request) {
  const { searchParams } = new URL(req.url);
  const userId = searchParams.get('userId');
  const user = await db.users.findUnique({ where: { id: userId } });
  return Response.json(user);
}
Secure Code
// GOOD: verify session first
export async function GET(req: Request) {
  const supabase = createClient();
  const { data: { user } } = await supabase.auth.getUser();
  if (!user) return Response.json({ error: 'Unauthorized' }, { status: 401 });
  const profile = await db.users.findUnique({ where: { id: user.id } });
  return Response.json(profile);
}

Real-World Example

AI-generated API routes routinely skip auth checks because the training data contains many examples of simple CRUD routes without auth. The result is production APIs with fully open data endpoints.

How to Prevent It

  • Add an auth check as the very first line of every API route handler
  • Create a reusable withAuth() wrapper that throws 401 if no valid session exists
  • Audit every file in your /api directory — confirm each one has a session check
  • Use Data Hogo to automatically scan all your API routes for missing auth

Affected Technologies

nodejsNext.jsPythonGo

Data Hogo detects this vulnerability automatically.

Scan Your Repo Free

Related Vulnerabilities

Hardcoded API Keys

critical

API keys, tokens, or secrets written directly in source code, making them visible to anyone with repo access — including public GitHub repositories.

CWE-798A02:2021

No Input Validation

medium

User-supplied data sent directly to databases or external APIs without any type, format, or content validation.

CWE-20A03:2021

Passwords Stored in Plaintext

critical

User passwords stored as raw strings in the database instead of being hashed with a proper algorithm like bcrypt or Argon2.

CWE-256A02:2021

JWT Without Expiration

high

JWTs signed without an `exp` claim that never expire, meaning a stolen token grants permanent access with no way to revoke it.

CWE-613A07:2021