TL;DR
Authentication bypass happens when attackers access protected resources without valid credentials. Common causes include missing auth checks, client-side only validation, and insecure direct object references. These prompts help you audit and fix auth vulnerabilities.
Audit Auth Coverage
Audit my codebase for authentication bypass vulnerabilities.
Framework: Next.js/Express/FastAPI/Django
Check for:
- API routes without auth middleware
- Pages without session checks
- Server actions without auth verification
- GraphQL resolvers without auth
- Webhook endpoints with weak/no validation
List all routes and their auth status:
- Route path
- HTTP method
- Auth required? (yes/no)
- Current protection (middleware, inline check, none)
- Sensitivity level (public, user, admin)
Flag any routes that:
- Handle sensitive data without auth
- Rely only on client-side auth checks
- Have inconsistent auth between similar routes
Fix Missing Auth Checks
Add proper server-side authentication to these routes.
Routes needing auth: list your routes
For each route:
- Verify session/token on the server
- Check user exists and is active
- Verify required permissions/roles
- Return 401 for no auth, 403 for no permission
- Log unauthorized access attempts
Avoid these mistakes:
- Trusting client-sent user IDs
- Only checking auth on frontend
- Using predictable/guessable tokens
- Not validating token signature
Show middleware pattern I can reuse across routes.
Never trust the client: Authentication must happen server-side. Client-side checks are for UX only. An attacker can bypass any client-side check by calling your API directly.
Fix IDOR Vulnerabilities
Fix IDOR vulnerabilities where users can access other users' data.
Current issue: Users can access /api/user/id with any ID
Fix by adding authorization checks:
- Verify authenticated user owns the resource
- Or verify user has admin permissions
- Return 404 (not 403) to avoid leaking existence
Review these patterns:
- /api/users/id - user profile
- /api/orders/id - order details
- /api/documents/id - document access
- /api/settings/id - user settings
For each:
- Add ownership check
- Use session user ID, not request parameter
- Consider using UUIDs instead of sequential IDs
- Add query scoping: WHERE user_id = currentUser.id
JWT Bypass Prevention
Review and fix my JWT authentication for bypass vulnerabilities.
Check for these issues:
- Algorithm confusion (accepting "none" or HS256 when expecting RS256)
- Missing signature verification
- Not checking expiration (exp claim)
- Trusting user-provided claims without verification
- Weak or hardcoded secrets
Fix implementation to:
- Explicitly specify allowed algorithms
- Verify signature with correct key
- Check exp and nbf claims
- Validate issuer (iss) and audience (aud)
- Reject tokens missing required claims
Also implement:
- Token refresh flow
- Revocation checking (if needed)
- Proper error responses
Pro tip: Use an auth library rather than implementing JWT validation yourself. Libraries like jose, jsonwebtoken (with careful config), or passport handle edge cases you might miss.
Why return 404 instead of 403 for unauthorized access?
Returning 403 tells attackers the resource exists. By returning 404, you don't reveal whether the resource exists, making enumeration attacks harder.
How do I protect Next.js API routes?
Use middleware for global protection, or check session in each route handler with getServerSession(). Never rely only on client-side routing guards.
Find Auth Bypass Vulnerabilities
Scan your app for unprotected routes and IDOR issues.
Start Free Scan