Skip to content

Detect unguarded Next.js admin API routes #3

Description

@Synvoya

Problem

AI-generated Next.js apps frequently place privileged handlers under /api/admin/* without an authentication and authorization guard. CodeInspectus has remediation text for missing authorization, but no focused check for this route convention.

Scope

Design a conservative check for Next.js Pages Router and App Router admin API handlers. Prefer precision over coverage and keep the first version intrafile.

Acceptance criteria

  • Freeze true-positive and near-miss fixtures before implementation.
  • Cover at least one Pages Router handler and one App Router route handler.
  • Require evidence of both authentication and an authorization decision; document the recognized guard shapes.
  • Stay silent for public routes, non-admin routes, and fixtures with a recognized server-side role/permission guard.
  • Do not treat client-controlled Supabase user_metadata as a valid authorization guard.
  • Add remediation and evidence-based CWE/OWASP mappings.
  • npm run build && npm test && npm run eval pass.

Metadata

Metadata

Assignees

No one assigned

    Labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions