igbuend/missing-authentication-anti-pattern
skills/missing-authentication-anti-pattern/SKILL.md
Security anti-pattern for missing or broken authentication (CWE-287). Use when generating or reviewing code for login systems, API endpoints, protected routes, or access control. Detects unprotected endpoints, weak password policies, and missing rate limiting on authentication.
$ install --global
skillsauthnpx skillsauth add igbuend/grimbard missing-authentication-anti-patternInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Apr 5, 2026, 8:19 PM28.1s1 file scanned
SKILL.md
- name:
- missing-authentication-anti-pattern
- description:
- Security anti-pattern for missing or broken authentication (CWE-287). Use when generating or reviewing code for login systems, API endpoints, protected routes, or access control. Detects unprotected endpoints, weak password policies, and missing rate limiting on authentication.
Missing Authentication Anti-Pattern
Severity: Critical
Summary
Missing or broken authentication occurs when applications fail to verify user identity, allowing unauthorized access to protected data and functionality. This manifests as unprotected endpoints, missing session checks, or weak credential verification vulnerable to bypass or brute-force. AI-generated code frequently produces insecure boilerplate with stubbed or missing authentication checks.
The Anti-Pattern
Never create endpoints accessing sensitive data or functionality without verifying user identity and validating active sessions.
BAD Code Example
# VULNERABLE: Critical API endpoint without authentication check
from flask import request, jsonify
from db import User, session
@app.route("/api/users/<int:user_id>/profile")
def get_user_profile(user_id):
# Takes user ID and returns profile data
# CRITICAL FLAW: Never checks who makes the request
# Any user can access any profile by changing user_id in URL
user = session.query(User).filter_by(id=user_id).first()
if not user:
return jsonify({"error": "User not found"}), 404
# Returns sensitive profile information without verification
return jsonify({
"id": user.id,
"username": user.username,
"email": user.email,
"signed_up_at": user.created_at
})
GOOD Code Example
# SECURE: Endpoint protected by authentication and authorization
from flask import request, jsonify
from db import User, session
from auth import require_authentication # Decorator for auth
@app.route("/api/users/<int:user_id>/profile")
@require_authentication # Ensures valid user session exists
def get_user_profile_secure(current_user, user_id):
# `require_authentication` decorator decodes session token (JWT)
# and passes authenticated user object to function
# AUTHORIZATION CHECK:
# Verify user can access this data
# Users see only their own profile unless admin
if current_user.id != user_id and not current_user.is_admin:
return jsonify({"error": "Access denied. You are not authorized to view this profile."}), 403
user = session.query(User).filter_by(id=user_id).first()
if not user:
return jsonify({"error": "User not found"}), 404
# Safe to return data after authentication and authorization
return jsonify({
"id": user.id,
"username": user.username,
"email": user.email,
"signed_up_at": user.created_at
})
Detection
- Audit all endpoints for authentication: Grep for routes without auth:
rg '@app\.route|@router\.(get|post)' --type py -A 5 | rg -v '@require|@login|@auth'rg 'app\.(get|post|put|delete)\(' --type js -A 3 | rg -v 'authenticate|isAuth'rg '@GetMapping|@PostMapping' --type java -A 3 | rg -v '@PreAuthorize|@Secured'
- Find sensitive endpoints: Identify admin, profile, financial routes:
rg '/admin|/api/users|/profile|/account|/payment' -i- Check each for authentication decorators/middleware
- Check for fail-open logic: Find default permit patterns:
rg 'if.*not.*authenticated.*return|except.*pass' --type pyrg 'catch.*\{\s*\}|if.*!auth.*continue' --type js
- Test unauthenticated access: Direct endpoint testing:
curl -X GET https://api.example.com/api/users/me(no auth header)curl -X DELETE https://api.example.com/api/admin/users/1(no token)- If these succeed without 401/403, endpoints are vulnerable
Prevention
- [ ] Default to deny: Require authentication for all endpoints by default. Explicitly mark public endpoints (login, registration) as exempt
- [ ] Centralize authentication logic: Use middleware (Express), decorators (Flask/Django), or filters (Java) for authentication. Avoid repeating logic across functions
- [ ] Distinguish authentication from authorization:
- Authentication: Verify user identity
- Authorization: Verify user permissions for action
- Endpoints must perform both
- [ ] Use robust authentication: Implement JWTs, OAuth2, or secure session management. Never roll your own authentication
Related Security Patterns & Anti-Patterns
- Session Fixation Anti-Pattern: Session identifier management after login
- JWT Misuse Anti-Pattern: Common token-based authentication mistakes
- Missing Rate Limiting Anti-Pattern: Login brute-force protection
References
- OWASP Top 10 A07:2025 - Authentication Failures
- OWASP GenAI LLM06:2025 - Excessive Agency
- OWASP API Security API2:2023 - Broken Authentication
- OWASP Authentication Cheat Sheet
- CWE-287: Improper Authentication
- CAPEC-115: Authentication Bypass
- PortSwigger: Authentication
- Source: sec-context
Related Skills
igbuend/xss-anti-pattern
development
VerifiedTrustedCommunity
Security anti-pattern for Cross-Site Scripting vulnerabilities (CWE-79). Use when generating or reviewing code that renders HTML, handles user input in web pages, uses innerHTML/document.write, or builds dynamic web content. Covers Reflected, Stored, and DOM-based XSS. AI code has 86% XSS failure rate.
4SKILL.mdUpdated Apr 5, 2026
igbuend/xpath-injection-anti-pattern
development
VerifiedTrustedCommunity
Security anti-pattern for XPath injection vulnerabilities (CWE-643). Use when generating or reviewing code that queries XML documents, constructs XPath expressions, or handles user input in XML operations. Detects unescaped quotes and special characters in XPath queries.
4SKILL.mdUpdated Apr 5, 2026
igbuend/weak-password-hashing-anti-pattern
development
VerifiedTrustedCommunity
Security anti-pattern for weak password hashing (CWE-327, CWE-759). Use when generating or reviewing code that stores or verifies user passwords. Detects use of MD5, SHA1, SHA256 without salt, or missing password hashing entirely. Recommends bcrypt, Argon2, or scrypt.
4SKILL.mdUpdated Apr 5, 2026
igbuend/weak-encryption-anti-pattern
development
VerifiedTrustedCommunity
Security anti-pattern for weak encryption (CWE-326, CWE-327). Use when generating or reviewing code that encrypts data, handles encryption keys, or uses cryptographic modes. Detects DES, ECB mode, static IVs, and custom crypto implementations.
4SKILL.mdUpdated Apr 5, 2026