no-missing-authentication
Detects missing authentication checks in route handlers. This rule is part of [`eslint-plugin-secure-coding`](https://www.npmjs.com/package/eslint-plugin-secure
Keywords: missing authentication, CWE-287, security, ESLint rule, authentication middleware, route handlers, Express, Fastify, API security, access control, LLM-optimized, code security
Detects missing authentication checks in route handlers. This rule is part of eslint-plugin-secure-coding and provides LLM-optimized error messages that AI assistants can automatically fix.
⚠️ This rule warns by default in the recommended config.
Quick Summary
| Aspect | Details |
|---|---|
| CWE Reference | CWE-287 (Improper Authentication) |
| Severity | Critical (security vulnerability) |
| Auto-Fix | ❌ No (requires manual authentication setup) |
| Category | Security |
| ESLint MCP | ✅ Optimized for ESLint MCP integration |
| Best For | All web applications with API endpoints, Express, Fastify, Next.js |
Vulnerability and Risk
Vulnerability: Missing authentication checks in API route handlers or controller methods allow anonymous or unauthenticated users to access endpoints that should be protected.
Risk: Unauthorized access to sensitive data or functionality. This can lead to data breaches, modification of data by unauthorized users, or access to privileged administrative functions.
Error Message Format
The rule provides LLM-optimized error messages (Compact 2-line format) with actionable security guidance:
🔒 CWE-287 OWASP:A07 CVSS:9.8 | Improper Authentication detected | CRITICAL
Fix: Review and apply the recommended fix | https://owasp.org/Top10/A07_2021/Message Components
| Component | Purpose | Example |
|---|---|---|
| Risk Standards | Security benchmarks | CWE-287 OWASP:A07 CVSS:9.8 |
| Issue Description | Specific vulnerability | Improper Authentication detected |
| Severity & Compliance | Impact assessment | CRITICAL |
| Fix Instruction | Actionable remediation | Follow the remediation steps below |
| Technical Truth | Official reference | OWASP Top 10 |
Rule Details
Missing authentication checks allow unauthorized access to protected resources. This rule detects route handlers that don't have authentication middleware configured.
Why This Matters
| Issue | Impact | Solution |
|---|---|---|
| 🔒 Security | Unauthorized access to APIs | Add authentication middleware |
| 🐛 Data Breach | Sensitive data exposure | Protect all endpoints |
| 🔐 Compliance | Violates security standards | Enforce authentication |
| 📊 Best Practice | All protected routes need auth | Use auth middleware |
Detection Patterns
The rule detects:
- Express routes:
app.get(),app.post(),app.put(),app.delete(),app.patch(),app.all() - Route handlers without authentication middleware in arguments
- Common auth middleware patterns:
authenticate,auth,requireAuth,isAuthenticated,verifyToken,checkAuth,ensureAuthenticated,passport.authenticate,jwt,session
Examples
❌ Incorrect
// Missing authentication on protected route
app.get('/api/users', (req, res) => {
// ❌ No auth middleware
// Return user data
});
app.post('/api/users', (req, res) => {
// ❌ No auth middleware
// Create user
});
router.put('/api/users/:id', (req, res) => {
// ❌ No auth middleware
// Update user
});✅ Correct
// Authentication middleware added
app.get('/api/users', authenticate(), (req, res) => {
// ✅ Auth middleware
// Return user data
});
app.post('/api/users', auth, requireAuth, (req, res) => {
// ✅ Multiple auth checks
// Create user
});
router.put('/api/users/:id', verifyToken(), (req, res) => {
// ✅ Token verification
// Update user
});
// Public route (can be ignored via options)
app.get('/api/public', (req, res) => {
// ✅ Public endpoint
// Return public data
});Configuration
Default Configuration
{
"secure-coding/no-missing-authentication": "warn"
}Options
| Option | Type | Default | Description |
|---|---|---|---|
allowInTests | boolean | false | Allow missing auth in tests |
testFilePattern | string | '\\.(test|spec)\\.(ts|tsx|js|jsx)$' | Test file pattern regex |
authMiddlewarePatterns | string[] | ['authenticate', 'auth', ...] | Auth middleware patterns to recognize |
routeHandlerPatterns | string[] | ['get', 'post', ...] | Route handler patterns to check |
ignorePatterns | string[] | [] | Additional patterns to ignore |
Example Configuration
{
"secure-coding/no-missing-authentication": [
"error",
{
"allowInTests": true,
"authMiddlewarePatterns": ["authenticate", "myCustomAuth"],
"routeHandlerPatterns": ["get", "post", "put", "delete"],
"ignorePatterns": ["/api/public"]
}
]
}Best Practices
- Always add authentication to protected routes
- Use middleware: Leverage Express/Fastify middleware for consistent auth
- Public routes: Explicitly mark public routes or use ignore patterns
- Token validation: Verify JWT/session tokens on all protected endpoints
- Role-based access: Combine with role checks for fine-grained control
Known False Negatives
The following patterns are not detected due to static analysis limitations:
Credentials from Config
Why: Config values not traced.
// ❌ NOT DETECTED - From config
const password = config.dbPassword;Mitigation: Use proper secrets management.
Environment Variables
Why: Env var content not analyzed.
// ❌ NOT DETECTED - Env var
const secret = process.env.API_KEY;Mitigation: Never hardcode or expose secrets.
Dynamic Credential Access
Why: Dynamic property access not traced.
// ❌ NOT DETECTED - Dynamic
const cred = credentials[type];Mitigation: Audit all credential access patterns.
Related Rules
no-privilege-escalation- Detects privilege escalation vulnerabilitiesno-unvalidated-user-input- Detects unvalidated user input
Resources
no-ldap-injection
Detects LDAP injection vulnerabilities. This rule is part of [`eslint-plugin-secure-coding`](https://www.npmjs.com/package/eslint-plugin-secure-coding).
no-missing-cors-check
Detects missing CORS validation (wildcard CORS, missing origin check) that can allow unauthorized cross-origin requests. This rule is part of [`eslint-plugin-se