Auth Check

An auth check is the line of code at the top of a protected route that answers 'is this request from someone who is actually allowed to do this?'. Miss it, and anyone who knows the URL can call the endpoint. AI assistants build route handlers by pattern matching, and the pattern is usually 'receive request, do work'. Authentication and authorization are two separate concerns they don't automatically chain. The classic bug: the model adds an auth check to the first route in a file and assumes the next one inherits it. It doesn't. Every protected route needs its own check. A tighter pattern is to build a middleware or a wrapper function so you can't forget — in Next.js this might be a helper like `requireUser()` that throws a 401 if the session is missing. Authorization is a step further: even if the user is logged in, are they allowed to touch *this specific* resource? Fetching someone else's record by ID is a vulnerability called IDOR (Insecure Direct Object Reference). For every AI-generated endpoint, ask: 'can I hit this without logging in?' and 'can I pass someone else's ID?'. Our checklist weights missing auth checks as critical.