# Missing Authentication for Critical Function (CWE-306)

The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.

**Stack:** Go

- Prevalence: Alta Frequentemente explorada
- Impact: Alto 6 regras de severidade alta
- Prevention: Documentada 6 exemplos de correção

**OWASP:** Identification and Authentication Failures (A07:2021-Identification and Authentication Failures) - #7

## Description

As data traverses trust boundaries, the data should be validated before being processed. When authentication is not applied to critical functions, attackers can invoke these functions without proving their identity.

## Prevention

### Go

Add Echo JWT middleware to protect API endpoints

Add Fiber JWT middleware to protect API endpoints

Add JWT authentication middleware to protect API endpoints

## Warning Signs

- [HIGH] Gin application missing JWT authentication middleware

## Consequences

- Obter privilégios
- Ler dados da aplicação
- Modificar dados da aplicação
- Executar código não autorizado

## Mitigations

- Divida o software em componentes com diferentes níveis de confiança
- Identifique todas as áreas com funcionalidades críticas para a segurança e exija autenticação em todas elas
- Garanta que controles de acesso apropriados sejam aplicados

## Detection

- Total rules: 6
- Languages: python, go, typescript

## Rules by Language

### Go (3 rules)

- **Echo Missing JWT Middleware** [HIGH]: API endpoints lack JWT authentication middleware protection.
  - Remediation: Add JWT middleware to protect API routes.

```go
import "github.com/labstack/echo-jwt/v4"

api := e.Group("/api")
api.Use(echojwt.JWT([]byte(os.Getenv("JWT_SECRET"))))
api.POST("/transfer", transferHandler)
```

Learn more: https://shoulder.dev/learn/go/cwe-306/jwt-middleware
- **Fiber Missing JWT Middleware** [HIGH]: API endpoints lack JWT authentication middleware protection.
  - Remediation: Add JWT middleware to protect API routes.

```go
import "github.com/gofiber/contrib/jwt"

api := app.Group("/api")
api.Use(jwtware.New(jwtware.Config{
    SigningKey: jwtware.SigningKey{Key: []byte(os.Getenv("JWT_SECRET"))},
}))
api.Post("/transfer", transferHandler)
```

Learn more: https://shoulder.dev/learn/go/cwe-306/jwt-middleware
- **Gin Missing JWT Middleware** [HIGH]: API endpoints lack JWT authentication middleware protection.
  - Remediation: Add JWT middleware to protect API routes.

```go
import jwt "github.com/appleboy/gin-jwt/v2"

auth, _ := jwt.New(&jwt.GinJWTMiddleware{
    Realm: "api",
    Key:   []byte(os.Getenv("JWT_SECRET")),
})
api := r.Group("/api")
api.Use(auth.MiddlewareFunc())
api.POST("/transfer", transferHandler)
```

Learn more: https://shoulder.dev/learn/go/cwe-306/jwt-middleware