# Missing Authentication for Critical Function (CWE-306)

The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.

**Stack:** Python

- Prevalence: Élevée Fréquemment exploitée
- Impact: Élevé 6 règles de sévérité élevée
- Prevention: Documentée 6 exemples de correctifs

**OWASP:** Identification and Authentication Failures (A07:2021-Identification and Authentication Failures) - #7

## Description

As data traverses trust boundaries, the data should be validated before being processed. When authentication is not applied to critical functions, attackers can invoke these functions without proving their identity.

## Prevention

### Python

Add @login_required or @permission_required decorator to all protected views

Add authentication using FastAPI Depends() dependency injection

## Warning Signs

- [HIGH] View handles sensitive operations without authentication decorator
- [HIGH] Django views that should require authentication but lack
@login_required, @permission_required, or o
- [HIGH] Endpoint performs sensitive operations without Depends(get_current_user) or similar auth
- [HIGH] FastAPI endpoints that perform sensitive operations without
authentication via Depends() dependency 

## Consequences

- Obtenir des privilèges
- Lecture des données de l'application
- Modification des données de l'application
- Exécuter du code non autorisé

## Mitigations

- Divisez le logiciel en composants ayant différents niveaux de confiance
- Identifiez toutes les zones à fonctionnalité critique pour la sécurité et exigez l'authentification dans chacune
- Veillez à ce que des contrôles d'accès appropriés soient appliqués

## Detection

- Total rules: 6
- Languages: python, go, typescript

## Rules by Language

### Python (2 rules)

- **Django View Missing Authentication** [HIGH]: Detects Django views that should require authentication but lack
@login_required, @permission_required, or other authentication decorators.
  - Remediation: Add authentication:

```python
from django.contrib.auth.decorators import login_required, permission_required

@login_required
def protected_view(request):
    # Only authenticated users can access
    pass

@permission_required('app.change_model')
def admin_view(request):
    # Only users with permission can access
    pass
```
- **FastAPI Endpoint Missing Authentication** [HIGH]: Detects FastAPI endpoints that perform sensitive operations without
authentication via Depends() dependency injection.
  - Remediation: Add authentication via dependency injection:

```python
from fastapi import Depends, FastAPI
from fastapi.security import OAuth2PasswordBearer

oauth2_scheme = OAuth2PasswordBearer(tokenUrl="token")

async def get_current_user(token: str = Depends(oauth2_scheme)):
    # Verify token and return user
    return user

@app.delete("/users/{user_id}")
async def delete_user(
    user_id: int,
    current_user: User = Depends(get_current_user)  # Required auth
):
    # Only authenticated users can delete
    pass
```