AI built your admin endpoints. They work from the admin panel, you shipped. What you actually shipped lets any logged-in user — not just admins — call them directly.
What you shipped
The route checks req.user (are you logged in?) but never checks the user’s role. Being authenticated is treated as being authorized.
How anyone exploits it
A regular user opens devtools, copies the admin request, and fires it themselves:
DELETE /api/admin/users/2
They’re logged in, so the check passes, and the record is gone. Same trick exposes every admin action — delete, promote, refund.
Why you won’t catch it
From the UI, only admins ever see the admin buttons, so every click you test is a real admin. The hole only opens when someone calls the endpoint directly, bypassing your UI entirely.
Why AI does it
“Protect this route” most directly becomes “require a logged-in user.” The role check is a second decision the happy path doesn’t force, because in testing the only person hitting it is you.
The fix
Check the role, not just the login:
if (!req.user?.isAdmin) return res.status(403).end()
Authentication is who you are; authorization is what you’re allowed to do. You need both.
Check your app
- Every admin/privileged route checks a role or permission, not just authentication.
- The check is server-side, on the endpoint — not hidden in the frontend.
- Default to deny: unknown or missing role gets 403.
The bigger problem
A senior dev catches this by reflex. But if nobody senior reads the code, the broken version ships — it works in every test, because every test takes the happy path. The author and the reviewer are the same model with the same blind spot.
That’s the gap Velify is built to close: it reads your project and flags exactly this, in plain language, no terminal.