# Missing Authentication for Critical Function (CWE-306) The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources. **Stack:** Go - Prevalence: 높음 자주 악용됨 - Impact: 높음 6개의 높은 심각도 규칙 - Prevention: 문서화됨 6개의 수정 예시 **OWASP:** Identification and Authentication Failures (A07:2021-Identification and Authentication Failures) - #7 ## Description As data traverses trust boundaries, the data should be validated before being processed. When authentication is not applied to critical functions, attackers can invoke these functions without proving their identity. ## Prevention ### Go Add Echo JWT middleware to protect API endpoints Add Fiber JWT middleware to protect API endpoints Add JWT authentication middleware to protect API endpoints ## Warning Signs - [HIGH] Gin application missing JWT authentication middleware ## Consequences - 권한 획득 - 애플리케이션 데이터 읽기 - 애플리케이션 데이터 수정 - 승인되지 않은 코드 실행 ## Mitigations - 소프트웨어를 신뢰 수준이 다른 구성 요소로 나누세요 - 보안에 중요한 기능이 있는 모든 영역을 식별하고 해당 영역마다 인증을 요구하세요 - 적절한 접근 제어가 강제되도록 하세요 ## Detection - Total rules: 6 - Languages: python, go, typescript ## Rules by Language ### Go (3 rules) - **Echo Missing JWT Middleware** [HIGH]: API endpoints lack JWT authentication middleware protection. - Remediation: Add JWT middleware to protect API routes. ```go import "github.com/labstack/echo-jwt/v4" api := e.Group("/api") api.Use(echojwt.JWT([]byte(os.Getenv("JWT_SECRET")))) api.POST("/transfer", transferHandler) ``` Learn more: https://shoulder.dev/learn/go/cwe-306/jwt-middleware - **Fiber Missing JWT Middleware** [HIGH]: API endpoints lack JWT authentication middleware protection. - Remediation: Add JWT middleware to protect API routes. ```go import "github.com/gofiber/contrib/jwt" api := app.Group("/api") api.Use(jwtware.New(jwtware.Config{ SigningKey: jwtware.SigningKey{Key: []byte(os.Getenv("JWT_SECRET"))}, })) api.Post("/transfer", transferHandler) ``` Learn more: https://shoulder.dev/learn/go/cwe-306/jwt-middleware - **Gin Missing JWT Middleware** [HIGH]: API endpoints lack JWT authentication middleware protection. - Remediation: Add JWT middleware to protect API routes. ```go import jwt "github.com/appleboy/gin-jwt/v2" auth, _ := jwt.New(&jwt.GinJWTMiddleware{ Realm: "api", Key: []byte(os.Getenv("JWT_SECRET")), }) api := r.Group("/api") api.Use(auth.MiddlewareFunc()) api.POST("/transfer", transferHandler) ``` Learn more: https://shoulder.dev/learn/go/cwe-306/jwt-middleware