# Missing Authentication for Critical Function (CWE-306)

The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.

**Stack:** JavaScript

- Prevalence: Élevée Fréquemment exploitée
- Impact: Élevé 6 règles de sévérité élevée
- Prevention: Documentée 6 exemples de correctifs

**OWASP:** Identification and Authentication Failures (A07:2021-Identification and Authentication Failures) - #7

## Description

As data traverses trust boundaries, the data should be validated before being processed. When authentication is not applied to critical functions, attackers can invoke these functions without proving their identity.

## Prevention

### JavaScript

Add @UseGuards decorator with authentication guard at controller or method level

## Warning Signs

- [HIGH] NestJS endpoint has no @UseGuards() decorator for authentication

## Consequences

- Obtenir des privilèges
- Lecture des données de l'application
- Modification des données de l'application
- Exécuter du code non autorisé

## Mitigations

- Divisez le logiciel en composants ayant différents niveaux de confiance
- Identifiez toutes les zones à fonctionnalité critique pour la sécurité et exigez l'authentification dans chacune
- Veillez à ce que des contrôles d'accès appropriés soient appliqués

## Detection

- Total rules: 6
- Languages: python, go, typescript

## Rules by Language

### Typescript (1 rules)

- **NestJS Endpoint Missing Authentication Guard** [HIGH]: Endpoints without @UseGuards or @Public decorators are accessible to
unauthenticated users, enabling unauthorized access.
  - Remediation: Add @UseGuards decorator at controller or method level.

```typescript
import { UseGuards } from '@nestjs/common';
import { JwtAuthGuard } from '../auth/jwt-auth.guard';

@Controller('users')
@UseGuards(JwtAuthGuard)
export class UsersController {
  @Get(':id')
  findOne(@Param('id') id: string) {
    return this.usersService.findOne(id);
  }
}
```

Learn more: https://shoulder.dev/learn/typescript/cwe-306/missing-auth-guard