# Missing Authentication for Critical Function (CWE-306) The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources. **Stack:** Go - Prevalence: 高 頻繁に悪用される - Impact: ハイ 6 件の重大度ハイのルール - Prevention: 文書化済み 6 件の修正例 **OWASP:** Identification and Authentication Failures (A07:2021-Identification and Authentication Failures) - #7 ## Description As data traverses trust boundaries, the data should be validated before being processed. When authentication is not applied to critical functions, attackers can invoke these functions without proving their identity. ## Prevention ### Go Add Echo JWT middleware to protect API endpoints Add Fiber JWT middleware to protect API endpoints Add JWT authentication middleware to protect API endpoints ## Warning Signs - [HIGH] Gin application missing JWT authentication middleware ## Consequences - 権限の取得 - アプリケーションデータの読み取り - アプリケーションデータの変更 - 未承認コードの実行 ## Mitigations - ソフトウェアを信頼レベルの異なるコンポーネントに分割する - セキュリティ上重要な機能を持つすべての領域を特定し、それらすべてに認証を要求する - 適切なアクセス制御が確実に強制されるようにする ## Detection - Total rules: 6 - Languages: python, go, typescript ## Rules by Language ### Go (3 rules) - **Echo Missing JWT Middleware** [HIGH]: API endpoints lack JWT authentication middleware protection. - Remediation: Add JWT middleware to protect API routes. ```go import "github.com/labstack/echo-jwt/v4" api := e.Group("/api") api.Use(echojwt.JWT([]byte(os.Getenv("JWT_SECRET")))) api.POST("/transfer", transferHandler) ``` Learn more: https://shoulder.dev/learn/go/cwe-306/jwt-middleware - **Fiber Missing JWT Middleware** [HIGH]: API endpoints lack JWT authentication middleware protection. - Remediation: Add JWT middleware to protect API routes. ```go import "github.com/gofiber/contrib/jwt" api := app.Group("/api") api.Use(jwtware.New(jwtware.Config{ SigningKey: jwtware.SigningKey{Key: []byte(os.Getenv("JWT_SECRET"))}, })) api.Post("/transfer", transferHandler) ``` Learn more: https://shoulder.dev/learn/go/cwe-306/jwt-middleware - **Gin Missing JWT Middleware** [HIGH]: API endpoints lack JWT authentication middleware protection. - Remediation: Add JWT middleware to protect API routes. ```go import jwt "github.com/appleboy/gin-jwt/v2" auth, _ := jwt.New(&jwt.GinJWTMiddleware{ Realm: "api", Key: []byte(os.Getenv("JWT_SECRET")), }) api := r.Group("/api") api.Use(auth.MiddlewareFunc()) api.POST("/transfer", transferHandler) ``` Learn more: https://shoulder.dev/learn/go/cwe-306/jwt-middleware