The IDOR Bug Cursor Keeps Writing Into Your API Routes

Dev.to AI
Generative AI

TL;DR AI editors add authentication middleware but routinely skip ownership checks Result: IDOR (CWE-639) -- any logged-in user can read or modify another user's data Fix: one condition verifying resource.userId === req.user.id before returning data I was doing a quick review of a side project a friend asked me to look at. Node.js backend, built mostly with Cursor. Clean code. Solid structure. Auth middleware on every route. Then I noticed the orders endpoint. app. get ( ' /api/orders/:id ', authenticate, async ( req, res ) => { const order = await Order. findById ( req. params.

Read Full Article