Problem
AI-generated Next.js apps frequently place privileged handlers under /api/admin/* without an authentication and authorization guard. CodeInspectus has remediation text for missing authorization, but no focused check for this route convention.
Scope
Design a conservative check for Next.js Pages Router and App Router admin API handlers. Prefer precision over coverage and keep the first version intrafile.
Acceptance criteria
- Freeze true-positive and near-miss fixtures before implementation.
- Cover at least one Pages Router handler and one App Router route handler.
- Require evidence of both authentication and an authorization decision; document the recognized guard shapes.
- Stay silent for public routes, non-admin routes, and fixtures with a recognized server-side role/permission guard.
- Do not treat client-controlled Supabase
user_metadata as a valid authorization guard.
- Add remediation and evidence-based CWE/OWASP mappings.
npm run build && npm test && npm run eval pass.
Problem
AI-generated Next.js apps frequently place privileged handlers under
/api/admin/*without an authentication and authorization guard. CodeInspectus has remediation text for missing authorization, but no focused check for this route convention.Scope
Design a conservative check for Next.js Pages Router and App Router admin API handlers. Prefer precision over coverage and keep the first version intrafile.
Acceptance criteria
user_metadataas a valid authorization guard.npm run build && npm test && npm run evalpass.