IDOR in Cursor-Generated APIs: The Auth Check That Never Shows Up

TL;DR Cursor and Claude Code generate resource endpoints that authenticate but never verify ownership Any logged-in user can access any other user's data by iterating IDs Three lines and a helper function fix the entire pattern across your API I was reviewing a friend's SaaS side project last month. He'd built the whole backend using Cursor -- about 800 lines of Express routes over a week. Authentication worked. Database queries worked. Everything functioned correctly when he tested it himself.