# Missing Authentication for Critical Function (CWE-306) The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources. - Prevalence: Alta Frequentemente explorada - Impact: Alto 6 regras de severidade alta - Prevention: Documentada 6 exemplos de correção **OWASP:** Identification and Authentication Failures (A07:2021-Identification and Authentication Failures) - #7 ## Description As data traverses trust boundaries, the data should be validated before being processed. When authentication is not applied to critical functions, attackers can invoke these functions without proving their identity. ## Prevention ### Python Add @login_required or @permission_required decorator to all protected views Add authentication using FastAPI Depends() dependency injection ### Go Add Echo JWT middleware to protect API endpoints Add Fiber JWT middleware to protect API endpoints Add JWT authentication middleware to protect API endpoints ### JavaScript Add @UseGuards decorator with authentication guard at controller or method level ## Warning Signs - [HIGH] View handles sensitive operations without authentication decorator - [HIGH] Django views that should require authentication but lack @login_required, @permission_required, or o - [HIGH] Endpoint performs sensitive operations without Depends(get_current_user) or similar auth - [HIGH] FastAPI endpoints that perform sensitive operations without authentication via Depends() dependency - [HIGH] Gin application missing JWT authentication middleware - [HIGH] NestJS endpoint has no @UseGuards() decorator for authentication ## Consequences - Obter privilégios - Ler dados da aplicação - Modificar dados da aplicação - Executar código não autorizado ## Mitigations - Divida o software em componentes com diferentes níveis de confiança - Identifique todas as áreas com funcionalidades críticas para a segurança e exija autenticação em todas elas - Garanta que controles de acesso apropriados sejam aplicados ## Detection - Total rules: 6 - Languages: python, go, typescript ## Rules by Language ### Go (3 rules) - **Echo Missing JWT Middleware** [HIGH]: API endpoints lack JWT authentication middleware protection. - Remediation: Add JWT middleware to protect API routes. ```go import "github.com/labstack/echo-jwt/v4" api := e.Group("/api") api.Use(echojwt.JWT([]byte(os.Getenv("JWT_SECRET")))) api.POST("/transfer", transferHandler) ``` Learn more: https://shoulder.dev/learn/go/cwe-306/jwt-middleware - **Fiber Missing JWT Middleware** [HIGH]: API endpoints lack JWT authentication middleware protection. - Remediation: Add JWT middleware to protect API routes. ```go import "github.com/gofiber/contrib/jwt" api := app.Group("/api") api.Use(jwtware.New(jwtware.Config{ SigningKey: jwtware.SigningKey{Key: []byte(os.Getenv("JWT_SECRET"))}, })) api.Post("/transfer", transferHandler) ``` Learn more: https://shoulder.dev/learn/go/cwe-306/jwt-middleware - **Gin Missing JWT Middleware** [HIGH]: API endpoints lack JWT authentication middleware protection. - Remediation: Add JWT middleware to protect API routes. ```go import jwt "github.com/appleboy/gin-jwt/v2" auth, _ := jwt.New(&jwt.GinJWTMiddleware{ Realm: "api", Key: []byte(os.Getenv("JWT_SECRET")), }) api := r.Group("/api") api.Use(auth.MiddlewareFunc()) api.POST("/transfer", transferHandler) ``` Learn more: https://shoulder.dev/learn/go/cwe-306/jwt-middleware ### Python (2 rules) - **Django View Missing Authentication** [HIGH]: Detects Django views that should require authentication but lack @login_required, @permission_required, or other authentication decorators. - Remediation: Add authentication: ```python from django.contrib.auth.decorators import login_required, permission_required @login_required def protected_view(request): # Only authenticated users can access pass @permission_required('app.change_model') def admin_view(request): # Only users with permission can access pass ``` - **FastAPI Endpoint Missing Authentication** [HIGH]: Detects FastAPI endpoints that perform sensitive operations without authentication via Depends() dependency injection. - Remediation: Add authentication via dependency injection: ```python from fastapi import Depends, FastAPI from fastapi.security import OAuth2PasswordBearer oauth2_scheme = OAuth2PasswordBearer(tokenUrl="token") async def get_current_user(token: str = Depends(oauth2_scheme)): # Verify token and return user return user @app.delete("/users/{user_id}") async def delete_user( user_id: int, current_user: User = Depends(get_current_user) # Required auth ): # Only authenticated users can delete pass ``` ### Typescript (1 rules) - **NestJS Endpoint Missing Authentication Guard** [HIGH]: Endpoints without @UseGuards or @Public decorators are accessible to unauthenticated users, enabling unauthorized access. - Remediation: Add @UseGuards decorator at controller or method level. ```typescript import { UseGuards } from '@nestjs/common'; import { JwtAuthGuard } from '../auth/jwt-auth.guard'; @Controller('users') @UseGuards(JwtAuthGuard) export class UsersController { @Get(':id') findOne(@Param('id') id: string) { return this.usersService.findOne(id); } } ``` Learn more: https://shoulder.dev/learn/typescript/cwe-306/missing-auth-guard