Auth Flow Visualization
See your entire auth landscape at a glance.
Authentication and authorization are your first line of defense. But do you really know which routes are protected? Which middleware is applied where? Where permission checks are missing?
codelake maps your complete authentication and authorization landscape. Every route, every middleware, every permission check — visualized in a way that makes gaps impossible to miss. No more relying on manual code reviews to find missing auth.
▸ Auth Flow Analysis
Routes analyzed: 147
Protected: 128 (87%)
Unprotected: 19 (13%)
── Unprotected Routes ──
GET /admin/users ✗ no auth
POST /admin/users/delete ✗ no auth
GET /api/internal/stats ✗ no auth
GET /api/search ⚠ auth optional
── Permission Gaps ──
/api/users/:id ⚠ no ownership check
/api/orders/:id ⚠ no ownership check
✓ Auth analysis complete · 5 critical gaps found
█What We Visualize
Complete authentication and authorization mapping.
codelake understands framework-specific auth patterns. It doesn't just look for middleware keywords — it traces the actual authentication and authorization logic to determine real protection status.
Auth Middleware Mapping
Every route group and individual route is analyzed for authentication middleware. codelake understands framework-specific patterns: Laravel's auth middleware, Express passport, Django's login_required, Spring Security filters.
Route Protection Status
Every route in your application gets a protection score: fully protected, partially protected (auth but no authorization), or unprotected. Routes are classified by the data they expose and actions they permit.
Permission Check Gaps
Authentication is not authorization. codelake identifies routes where users are authenticated but can access resources they don't own — missing ownership checks, absent role verification, and BOLA vulnerabilities.
Auth Bypass Detection
Automatic detection of paths that bypass authentication.
Auth bypasses are among the most critical vulnerabilities. They happen when routes that should be protected are accidentally left open — often because of route ordering, middleware misconfiguration, or forgotten development endpoints.
Route Ordering Issues
A catch-all route defined before auth middleware can serve protected content without authentication.
Middleware Gaps
A new route added to a controller but placed outside the middleware group. Happens frequently with AI-generated code.
Debug & Development Endpoints
Routes intended for development that were never removed: /debug, /test, /admin-setup, /phpinfo. These are often unprotected and expose sensitive information.
API Versioning Inconsistencies
Auth applied to /api/v2/users but missing from /api/v1/users, which still works and returns data.
Auth Bypass Detected
CRITICAL Admin panel accessible without authentication
Route: GET /admin/users
Expected: auth + admin role middleware
Actual: No middleware applied
Data exposed: User table (email, phone, role)
Records at risk: 12,400 users
HIGH Resource endpoint missing ownership check
Route: GET /api/users/:id
Auth: JWT required (present)
Authorization: No ownership verification
Impact: Any authenticated user can view any user's profile (BOLA)
Route Protection Matrix
Every route. Every protection layer. One view.
The Route Protection Matrix gives you a complete inventory of every route in your application with its exact protection status. Filter by unprotected, partially protected, or fully protected.
| Route | Method | Auth | Authorization | Rate Limit | Data Sensitivity | Status |
|---|---|---|---|---|---|---|
| /api/users | GET | ✓ JWT | ✓ Admin role | ✓ 100/min | PII | PROTECTED |
| /api/users/:id | GET | ✓ JWT | ✗ No ownership | ✓ 100/min | PII | PARTIAL |
| /admin/users | GET | ✗ None | ✗ None | ✗ None | PII | UNPROTECTED |
| /api/search | GET | ⚠ Optional | N/A | ✗ None | Medium | PARTIAL |
| /api/payments | POST | ✓ JWT | ✓ Owner | ✓ 10/min | Financial | PROTECTED |
| /admin/users/delete | POST | ✗ None | ✗ None | ✗ None | Destructive | UNPROTECTED |
Showing 6 of 147 routes · Filter by status, sensitivity, or method in the codelake dashboard
Permission Boundary Analysis
Where permission checks exist and where they're missing.
Authorization is harder than authentication. codelake analyzes your permission model to find where users can access resources they shouldn't — the root cause behind BOLA, the #1 OWASP API vulnerability.
Ownership Checks
codelake verifies that resource endpoints check whether the requesting user owns the resource. A GET /api/orders/:id endpoint without ownership verification means any user can view any order.
✓ /api/orders/:id — checks user_id match
✗ /api/invoices/:id — no ownership check
✗ /api/documents/:id — no ownership check
Role-Based Access Control
Administrative endpoints should require role verification. codelake detects routes that perform admin-level operations (user deletion, role assignment, configuration changes) without checking the user's role.
✓ /admin/settings — requires admin role
✗ /api/users/:id/role — no role check
⚠ /api/reports — role check in controller, not middleware
Team & Tenant Isolation
Multi-tenant applications must scope all queries to the authenticated team or organization. codelake identifies database queries that don't filter by the tenant scope — a common source of cross-tenant data leaks.
✓ ProjectController — all queries scoped to team
✗ ReportController — missing team scope on index
✗ FileController — direct ID lookup, no team check
Privilege Escalation Paths
codelake maps all paths where a user could elevate their privileges: endpoints that modify roles, invite new users, or change organization settings. Each path is checked for proper authorization gates.
✗ POST /api/invites — any user can invite admins
✗ PUT /api/users/:id — can modify own role field
✓ POST /api/billing — requires billing_admin role
Stop guessing which routes are protected.
Start a free scan and let codelake map your authentication landscape. See every unprotected route, every missing permission check, and every auth bypass path in one clear view.