# Missing Authentication for Critical Function (CWE-306)

The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.

**Stack:** Go

- Prevalence: 高 频繁被利用
- Impact: 高 6 条严重级别为高的规则
- Prevention: 已记录 6 个修复示例

**OWASP:** Identification and Authentication Failures (A07:2021-Identification and Authentication Failures) - #7

## Description

As data traverses trust boundaries, the data should be validated before being processed. When authentication is not applied to critical functions, attackers can invoke these functions without proving their identity.

## Prevention

### Go

Add Echo JWT middleware to protect API endpoints

Add Fiber JWT middleware to protect API endpoints

Add JWT authentication middleware to protect API endpoints

## Warning Signs

- [HIGH] Gin application missing JWT authentication middleware

## Consequences

- 获取权限
- 读取应用程序数据
- 修改应用程序数据
- 执行未授权代码

## Mitigations

- 将软件划分为具有不同信任级别的组件
- 识别所有具有安全关键功能的区域,并对这些区域全部要求身份验证
- 确保实施了适当的访问控制

## Detection

- Total rules: 6
- Languages: python, go, typescript

## Rules by Language

### Go (3 rules)

- **Echo Missing JWT Middleware** [HIGH]: API endpoints lack JWT authentication middleware protection.
  - Remediation: Add JWT middleware to protect API routes.

```go
import "github.com/labstack/echo-jwt/v4"

api := e.Group("/api")
api.Use(echojwt.JWT([]byte(os.Getenv("JWT_SECRET"))))
api.POST("/transfer", transferHandler)
```

Learn more: https://shoulder.dev/learn/go/cwe-306/jwt-middleware
- **Fiber Missing JWT Middleware** [HIGH]: API endpoints lack JWT authentication middleware protection.
  - Remediation: Add JWT middleware to protect API routes.

```go
import "github.com/gofiber/contrib/jwt"

api := app.Group("/api")
api.Use(jwtware.New(jwtware.Config{
    SigningKey: jwtware.SigningKey{Key: []byte(os.Getenv("JWT_SECRET"))},
}))
api.Post("/transfer", transferHandler)
```

Learn more: https://shoulder.dev/learn/go/cwe-306/jwt-middleware
- **Gin Missing JWT Middleware** [HIGH]: API endpoints lack JWT authentication middleware protection.
  - Remediation: Add JWT middleware to protect API routes.

```go
import jwt "github.com/appleboy/gin-jwt/v2"

auth, _ := jwt.New(&jwt.GinJWTMiddleware{
    Realm: "api",
    Key:   []byte(os.Getenv("JWT_SECRET")),
})
api := r.Group("/api")
api.Use(auth.MiddlewareFunc())
api.POST("/transfer", transferHandler)
```

Learn more: https://shoulder.dev/learn/go/cwe-306/jwt-middleware