# Improper Authorization (CWE-285) The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action. - Prevalence: High Frequently exploited - Impact: Critical 3 critical-severity rules - Prevention: Documented 3 fix examples **OWASP:** Broken Access Control (A01:2021-Broken Access Control) - #1 ## Description Assuming a user with a given identity, authorization is the process of determining whether that user can access a given resource, based on the user's privileges and any permissions or other access-control specifications that apply to the resource. ## Prevention Prevention strategies for Improper Authorization based on 3 Shoulder detection rules. ### Node.js Add canActivate guards to all sensitive routes to prevent unauthorized access Add @UseGuards with authentication and authorization guards to all sensitive NestJS endpoints Use protectedProcedure with authentication middleware for all sensitive mutations and user-specific queries ## Warning Signs - [CRITICAL] Route '...' handles sensitive operations but lacks canActivate or other route guards. - [CRITICAL] Controller method '...' performs sensitive operation '...' without @UseGuards decorator. This endpoint is publicly acces - [CRITICAL] Procedure '...' handles sensitive data but uses publicProcedure. Use protected procedure with authentication middleware. ## Consequences - Gain Privileges - Read Application Data - Modify Application Data ## Mitigations - Divide your application into anonymous, normal, privileged, and administrative areas - Use a vetted library or framework for access control - Ensure that access control checks are performed server-side ## Detection - Total rules: 3 - Critical: 3 - Languages: javascript, typescript ## Rules by Language ### Javascript (3 rules) - **Angular Missing Route Guard** [CRITICAL]: Routes without canActivate guards allow unauthorized access to admin panels, user profiles, and sensitive operations. - Remediation: Add canActivate guard to protect sensitive routes. ```typescript @Injectable({ providedIn: 'root' }) export class AuthGuard implements CanActivate { constructor(private auth: AuthService, private router: Router) {} canActivate(): boolean { if (this.auth.isAuthenticated()) return true; this.router.navigate(['/login']); return false; } } const routes: Routes = [ { path: 'admin', component: AdminComponent, canActivate: [AuthGuard] } ]; ``` Learn more: https://shoulder.dev/learn/typescript/cwe-285/missing-route-guard - **NestJS Sensitive Route Missing Guard** [CRITICAL]: Controllers without @UseGuards on sensitive operations allow unauthorized access to create, update, delete, and admin endpoints. - Remediation: Add @UseGuards decorator to sensitive endpoints. ```typescript import { UseGuards } from '@nestjs/common'; import { AuthGuard } from '@nestjs/passport'; @Controller('users') export class UserController { @Delete(':id') @UseGuards(AuthGuard('jwt')) deleteUser(@Param('id') id: string) { return this.userService.delete(id); } } ``` Learn more: https://shoulder.dev/learn/typescript/cwe-285/missing-route-guard - **tRPC Protected Procedure Missing Authentication** [CRITICAL]: Using publicProcedure for mutations or user-specific data allows unauthenticated access and account manipulation. - Remediation: Use protectedProcedure with authentication middleware for sensitive operations. ```typescript const isAuthed = t.middleware(async ({ ctx, next }) => { if (!ctx.session?.user) { throw new TRPCError({ code: 'UNAUTHORIZED' }); } return next({ ctx: { user: ctx.session.user } }); }); const protectedProcedure = t.procedure.use(isAuthed); export const userRouter = router({ updateProfile: protectedProcedure .input(z.object({ bio: z.string() })) .mutation(async ({ ctx, input }) => { return await db.user.update({ where: { id: ctx.user.id }, data: { bio: input.bio } }); }) }); ``` Learn more: https://shoulder.dev/learn/typescript/cwe-285/missing-auth-middleware ### Typescript (3 rules) - **Angular Missing Route Guard** [CRITICAL]: Routes without canActivate guards allow unauthorized access to admin panels, user profiles, and sensitive operations. - Remediation: Add canActivate guard to protect sensitive routes. ```typescript @Injectable({ providedIn: 'root' }) export class AuthGuard implements CanActivate { constructor(private auth: AuthService, private router: Router) {} canActivate(): boolean { if (this.auth.isAuthenticated()) return true; this.router.navigate(['/login']); return false; } } const routes: Routes = [ { path: 'admin', component: AdminComponent, canActivate: [AuthGuard] } ]; ``` Learn more: https://shoulder.dev/learn/typescript/cwe-285/missing-route-guard - **NestJS Sensitive Route Missing Guard** [CRITICAL]: Controllers without @UseGuards on sensitive operations allow unauthorized access to create, update, delete, and admin endpoints. - Remediation: Add @UseGuards decorator to sensitive endpoints. ```typescript import { UseGuards } from '@nestjs/common'; import { AuthGuard } from '@nestjs/passport'; @Controller('users') export class UserController { @Delete(':id') @UseGuards(AuthGuard('jwt')) deleteUser(@Param('id') id: string) { return this.userService.delete(id); } } ``` Learn more: https://shoulder.dev/learn/typescript/cwe-285/missing-route-guard - **tRPC Protected Procedure Missing Authentication** [CRITICAL]: Using publicProcedure for mutations or user-specific data allows unauthenticated access and account manipulation. - Remediation: Use protectedProcedure with authentication middleware for sensitive operations. ```typescript const isAuthed = t.middleware(async ({ ctx, next }) => { if (!ctx.session?.user) { throw new TRPCError({ code: 'UNAUTHORIZED' }); } return next({ ctx: { user: ctx.session.user } }); }); const protectedProcedure = t.procedure.use(isAuthed); export const userRouter = router({ updateProfile: protectedProcedure .input(z.object({ bio: z.string() })) .mutation(async ({ ctx, input }) => { return await db.user.update({ where: { id: ctx.user.id }, data: { bio: input.bio } }); }) }); ``` Learn more: https://shoulder.dev/learn/typescript/cwe-285/missing-auth-middleware