# Missing Authentication for Critical Function (CWE-306) The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources. **Stack:** JavaScript - Prevalence: Alta Frecuentemente explotada - Impact: Alto 6 reglas de severidad alta - Prevention: Documentada 6 ejemplos de corrección **OWASP:** Identification and Authentication Failures (A07:2021-Identification and Authentication Failures) - #7 ## Description As data traverses trust boundaries, the data should be validated before being processed. When authentication is not applied to critical functions, attackers can invoke these functions without proving their identity. ## Prevention ### JavaScript Add @UseGuards decorator with authentication guard at controller or method level ## Warning Signs - [HIGH] NestJS endpoint has no @UseGuards() decorator for authentication ## Consequences - Obtener privilegios - Leer datos de la aplicación - Modificar datos de la aplicación - Ejecutar código no autorizado ## Mitigations - Divide el software en componentes con distintos niveles de confianza - Identifica todas las áreas con funcionalidad crítica para la seguridad y exige autenticación en todas ellas - Asegura que se apliquen los controles de acceso apropiados ## Detection - Total rules: 6 - Languages: python, go, typescript ## Rules by Language ### Typescript (1 rules) - **NestJS Endpoint Missing Authentication Guard** [HIGH]: Endpoints without @UseGuards or @Public decorators are accessible to unauthenticated users, enabling unauthorized access. - Remediation: Add @UseGuards decorator at controller or method level. ```typescript import { UseGuards } from '@nestjs/common'; import { JwtAuthGuard } from '../auth/jwt-auth.guard'; @Controller('users') @UseGuards(JwtAuthGuard) export class UsersController { @Get(':id') findOne(@Param('id') id: string) { return this.usersService.findOne(id); } } ``` Learn more: https://shoulder.dev/learn/typescript/cwe-306/missing-auth-guard