auth-route-protection-checker

# Auth Route Protection Checker

To audit and enhance authentication protection across Next.js routes, server components, and API routes, follow these steps systematically.

## Step 1: Discover Project Structure

Identify all files that need authentication checks:

1. Use Glob to find all route files:
   - `app/**/page.tsx` - Page components
   - `app/**/route.ts` - API routes
   - `app/**/layout.tsx` - Layout components
   - `lib/actions/**/*.ts` - Server actions

2. Read middleware configuration:
   - `middleware.ts` - Current middleware setup
   - `next.config.js` - Route configuration

3. Identify authentication setup:
   - Search for auth client files (Supabase, NextAuth, Clerk, etc.)
   - Find auth utility functions

## Step 2: Analyze Current Protection

For each discovered file, check for existing auth protection:

### Check for Authentication Patterns

Use Grep to search for:
```
- "auth.getUser()"
- "getSession()"
- "currentUser()"
- "requireAuth"
- "redirect.*login"
- "unauthorized"
- "createServerClient"
```

### Identify Protection Gaps

Flag files that:
- Have no auth checks
- Are in protected routes but lack verification
- Accept user input without auth validation
- Perform privileged operations without role checks

Consult `references/protection-patterns.md` for common patterns.

## Step 3: Categorize Routes by Protection Level

Classify routes into security categories:

**Public Routes** - No auth required:
- Landing pages
- Marketing content
- Public blog posts
- Login/signup pages

**Authenticated Routes** - Login required:
- User dashboard
- Profile pages
- User-specific data

**Role-Protected Routes** - Specific roles required:
- Admin panels
- Moderator tools
- Premium features

**Action-Protected Routes** - Specific permissions required:
- Edit operations
- Delete operations
- Admin actions

## Step 4: Generate Protection Report

Create a comprehensive audit report:

```markdown
# Route Protection Audit Report

Generated: [timestamp]

## Summa