authorization-implementation

Target: $ARGUMENTS

If no target path is given above, review the entire codebase.

---

Authorization Implementation

Analyze authorization implementation across all routes:

Check for:

1. Broken Object Level Authorization (BOLA / IDOR)

   • Verify ownership/tenant checks on all object-level routes (GET/PUT/DELETE /:id).
   • Ensure identifiers in URL, body, or query cannot be manipulated to access others’ data.

2. Broken Function Level Authorization

   • Confirm role/permission checks exist on every privileged route.
   • Ensure enforcement is server-side, not just in the UI.

3. Missing authorization checks on sensitive endpoints

   • Validate middleware ordering (authN → authZ → handler).
   • Confirm no endpoints are left exposed (admin tools, bulk exports, feature-flagged routes).

4. Role-based access control (RBAC) implementation

   • Map roles → permissions explicitly; enforce deny-by-default.
   • Ensure roles cannot be set/changed by the client.

5. Privilege escalation possibilities

   • Check for update endpoints allowing fields like role, tenantId, or isAdmin.
   • Validate multi-step workflows cannot escalate privileges indirectly.

6. JWT token validation on every protected route

   • Require jwt.verify with strict algorithms, iss, aud, exp.
   • Ensure no route uses jwt.decode or trusts unverified claims.
   • Validate jti or tokenVersion against revocation strategy.

7. Proper scope checking for API tokens

   • Verify least-privilege scopes are enforced.
   • Differentiate user tokens vs service tokens; enforce audience and intended route access.

---

Additional items to check for:

8. Multi-tenant isolation

   • Tenant constraints injected server-side, not client-provided.
   • List/search endpoints filtered by tenant at query time.

9. Bulk endpoint protections

   • Batch/bulk operations enforce ownership per item, not just once at entry point.

10. Field-level authorization

    • Sensitive fields (e.g., ssn, apiKey, secrets) excluded for non-privileged users.
    • Ensure field-level projection or serializer logic exists.

11. Error handling & resource enumeration

    • Uniform errors (403 vs 404) to prevent leaking resource existence.
    • Consistent status codes across owned vs non-owned resources.

12. Middleware ordering

    • Confirm routes cannot bypass authorization due to wrong order (e.g., handler before auth middleware).
    • Check nested routers for missing parent auth guards.

13. CORS & CSRF considerations

    • No wildcard origins with credentials.
    • If cookies are used for auth, CSRF defenses are in place (SameSite, CSRF token).

14. Open redirect protections

    • Verify post-login redirect/next parameters are validated against allowlists.

15. Fallback/debug routes

    • Ensure no /seed, /reset, /debug endpoints are left exposed without strict admin checks.

---

For each endpoint, verify:

• Who can access it (roles, scopes, tenant).
• What data they can see/modify (including hidden fields).
• Whether ownership/tenancy is properly checked (query-level filter + post-fetch check).
• That middleware enforces authN/authZ consistently (no bypass possible).

Provide:

A structured finding report with the following for each issue:

Title, Severity (Critical/High/Medium/Low), CWE (if applicable), Evidence (file, function, line ranges), and a short Why it matters.

Exploitability notes and, where safe, a minimal PoC or reproduction steps (no real secrets).

Remediation: precise code-level fix or config change (snippets welcome), plus defense-in-depth guidance.

A summary risk score (0–10) and top 3–5 prioritized fixes that reduce risk fastest.

A checklist diff: which items from the “Check for” list are Pass/Fail/Not Applicable.

Constraints & style:

Be concrete and cite exact code locations and identifiers.

Prefer minimal, drop-in fix snippets over prose.

Do not invent files or functions that aren’t present; if context is missing, mark as Unable to verify and say what code would prove it.

Write this into a markdown file and place it in the audits/ folder.