This skill should be used when the user requests to audit, check, or generate authentication and authorization protection for Next.js routes, server components, API routes, and server actions. It analyzes existing routes for missing auth checks and generates protection logic based on user roles and permissions. Trigger terms include auth check, route protection, protect routes, secure endpoints, auth middleware, role-based routes, authorization check, api security, server action security, protect pages.
View on GitHubhopeoverture/worldbuilding-app-skills
auth-route-protection-checker
plugins/auth-route-protection-checker/skills/auth-route-protection-checker/SKILL.md
January 21, 2026
Select agents to install to:
npx add-skill https://github.com/hopeoverture/worldbuilding-app-skills/blob/main/plugins/auth-route-protection-checker/skills/auth-route-protection-checker/SKILL.md -a claude-code --skill auth-route-protection-checkerInstallation paths:
.claude/skills/auth-route-protection-checker/# Auth Route Protection Checker To audit and enhance authentication protection across Next.js routes, server components, and API routes, follow these steps systematically. ## Step 1: Discover Project Structure Identify all files that need authentication checks: 1. Use Glob to find all route files: - `app/**/page.tsx` - Page components - `app/**/route.ts` - API routes - `app/**/layout.tsx` - Layout components - `lib/actions/**/*.ts` - Server actions 2. Read middleware configuration: - `middleware.ts` - Current middleware setup - `next.config.js` - Route configuration 3. Identify authentication setup: - Search for auth client files (Supabase, NextAuth, Clerk, etc.) - Find auth utility functions ## Step 2: Analyze Current Protection For each discovered file, check for existing auth protection: ### Check for Authentication Patterns Use Grep to search for: ``` - "auth.getUser()" - "getSession()" - "currentUser()" - "requireAuth" - "redirect.*login" - "unauthorized" - "createServerClient" ``` ### Identify Protection Gaps Flag files that: - Have no auth checks - Are in protected routes but lack verification - Accept user input without auth validation - Perform privileged operations without role checks Consult `references/protection-patterns.md` for common patterns. ## Step 3: Categorize Routes by Protection Level Classify routes into security categories: **Public Routes** - No auth required: - Landing pages - Marketing content - Public blog posts - Login/signup pages **Authenticated Routes** - Login required: - User dashboard - Profile pages - User-specific data **Role-Protected Routes** - Specific roles required: - Admin panels - Moderator tools - Premium features **Action-Protected Routes** - Specific permissions required: - Edit operations - Delete operations - Admin actions ## Step 4: Generate Protection Report Create a comprehensive audit report: ```markdown # Route Protection Audit Report Generated: [timestamp] ## Summa