react-doctor/server-auth-actions

Add `const session = await auth()` at the top and throw/redirect if unauthorized before any data access

  • Category: Server
  • Severity: error
  • Source: oxlint-plugin-react-doctor
  • Framework: global
  • Enabled when: always

Validation prompt

Use this to decide whether a fired diagnostic is real or a false positive.

Fires on an EXPORTED async server action (named export, default export, or exported 'const fn = async' — file has top-level 'use server' or the fn carries its own 'use server') when NONE of its first 10 top-level statements contains a session-verification call: a bare call to auth()/getSession()/getServerSession()/getUser()/currentUser()/requireAuth()/checkAuth()/verifyAuth()/authenticate()/getAuth()/validateSession(), or a '.getUser()' on an auth-namespaced receiver (auth./clerk./session./supabase.auth…). Calls nested inside a non-invoked helper, a '.then()' callback, or another closure do NOT count, so a privileged action that gates only inside a helper it never calls still fires correctly. CONFIRM when the action does real privileged work on caller input with no gate: triggering background jobs (tasks.trigger/batchTrigger), reading/writing files or DB, mutating shared server state, or initializing subsystems. KEY FALSE POSITIVE — the action IS the authentication/credential-establishing endpoint, so no prior session can exist: login, signIn, signup/register, OAuth callback, magic-link or OTP verify (verifyAuthCode), password reset/forgot, email verification. Tell: its name and body call credential primitives like 'supabase.auth.signInWithPassword()', 'auth.signUpViaEmail()', 'auth.verifyAuthCode()', 'signUp()' (these are NOT in the helper list, so the rule misfires), and it lives under an auth/login/(auth) route. Also suppress genuinely public actions (contact form, newsletter, public search) and actions where auth is provably enforced by middleware on that route segment.

Fix prompt

Use this once validation confirms the diagnostic is real.

Principle: a server action is an unauthenticated public POST endpoint — verify the CALLER's session and authorization before touching data, never trust caller-supplied ids. (A) Gate first: make the FIRST statement establish identity and bail on failure — 'const session = await auth(); if (!session?.user) redirect("/login");' (NextAuth: 'getServerSession(authOptions)'; Clerk: 'const { userId } = await auth(); if (!userId) throw new Error("Unauthorized")'; Supabase: 'const { data: { user } } = await supabase.auth.getUser(); if (!user) redirect("/login")'). (B) Authorize, not just authenticate: after identity, check the caller may act on THIS resource — derive the owning user/org from the session and compare to the target row; never accept a userId/orgId straight from params as proof of access. (C) Centralize once: if many actions share the gate, extract 'const { user } = await requireUser()' that throws, and call it as the action's first line (the rule recognizes requireAuth/checkAuth). Anti-pattern: do NOT bolt an auth() call on as a no-op just to silence the rule, and do NOT add a gate to credential-establishing actions (login/signup/OAuth-callback/OTP-verify/password-reset) — those legitimately run for anonymous callers; instead rely on rate-limiting, CAPTCHA/Turnstile, and input validation there. See https://nextjs.org/docs/app/building-your-application/authentication

Previous pagereact-doctor/server-after-nonblockingNext pagereact-doctor/server-cache-with-object-literal