Missing Auth Checks

API routes without authentication (middleware-aware)

criticalSecurityauth-checks

Why this matters

An unprotected API route is an open door. Anyone with the URL can read, modify, or delete data. AI tools often scaffold routes without auth because the prompt didn't mention it.

✗ Bad

export async function GET(req: Request) {
  const users = await db.user.findMany();
  return Response.json(users);
}

✓ Good

export async function GET(req: Request) {
  const session = await getServerSession();
  if (!session) {
    return new Response("Unauthorized", { status: 401 });
  }
  const users = await db.user.findMany();
  return Response.json(users);
}

How to fix

Add authentication to every API route that reads or mutates data. Use middleware (Clerk, NextAuth, Supabase) or check the session at the top of each handler.

All rules