Skip to main content
VibeAudit Liability Index
highauth/access-control riskFix order 2

Auth Middleware Missing Person

What it is

Auth dependencies or routes are visible, but middleware or server-side gate proof is not obvious in the digest.

This usually appears when UI state, route naming, or optimistic client branches are mistaken for server-side authorization evidence.

How to fix it

Add server-side middleware, protected-route tests, unauthenticated smoke checks, and explicit role boundaries.

  1. 1Add route-covering middleware or server-side guards for protected paths.
  2. 2Run unauthenticated smoke checks against protected routes.
  3. 3Document role boundaries and test denied roles.

How VibeAudit checks for this

VibeAudit checks this with CONTROL_DOMINANCE and SAST_LOCAL_STRUCTURAL route/control evidence, plus DAST_AUTHZ_2A two-actor authorization evidence when the scan includes authorized probes. The free tier may show the surface name only, without private evidence or remediation details. Metadata-only surface maps do not create missing-control findings. Unsupported private repositories, authenticated behavior, destructive workflows, account configuration, and business logic remain unverified unless the scan includes matching local, imported, or authorized runtime evidence.

Related failure modes

Check your public launch surface and keep unsupported scope visible.

Run Quick Scan