🔐 Enforce authentication on sensitive backend controller endpoints

[code-with-kishan]

🔐 Security Issue: Missing Authentication Enforcement on Sensitive Backend Endpoints.

📌 Description :

Several backend controller endpoints handle sensitive operations such as recording uploads, rendering jobs, streaming control, and email invitations without explicitly enforcing authentication checks.
While some routes may rely on upstream middleware, the controllers themselves assume the presence of req.user without validating it. This creates a fragile setup where misconfiguration or reuse of routes could allow unauthenticated access to protected functionality.

---

📂 Affected Areas :

The following backend controllers expose endpoints that should explicitly require authentication:

• backend/recording/recording.controller.js
• backend/controllers/renderController.js
• backend/controllers/emailController.js
• backend/controllers/youtubeController.js

---

🔎 Example (Current Behavior) :

• Some backend controllers assume authentication without explicitly enforcing it.

• Example: backend/controllers/renderController.js

export const startRender = async (req, res) => {
const { sessionId, layout, inputs, duration } = req.body;

// No explicit authentication check
const result = await renderComposition({
sessionId,
layout,
inputs,
duration
});

res.json({
success: true,
downloadUrl: result.url
});
};

❌ If authentication middleware is misconfigured or bypassed, this endpoint can be called without a valid user session, triggering expensive render jobs.

❗ Problem

1. No explicit verification of req.user
2. Sensitive endpoints can be accessed if authentication middleware is bypassed or misapplied
3. Increases the risk of unauthorized usage of system resources

---

✅ Expected Behavior

• All protected endpoints should explicitly enforce authentication
• Requests without valid authentication should return:
• 401 Unauthorized or
• 403 Forbidden
• Authentication enforcement should be consistent across controllers

---

🛠️ Proposed Solution

👍 Add explicit authentication checks (req.user) inside controllers or Apply a shared authentication middleware to all sensitive routes

💯 This improves:

1. • Security (defense in depth)
2. • Code reliability
3. • Maintainability

---

🚨 Security Impact

• Severity: High❌❌🚫
• Category: Backend Security / Access Control
• OWASP Reference: A01 – Broken Access Control

---

[code-with-kishan]

Hi @anothercoder-nik 👋 sir,

I’ve raised this issue after reviewing the backend controllers and would love to work on fixing it.

📌 This issue is raised as part of **ECWoc26 **.

If this approach looks good, please assign this issue to me and I’ll submit a PR shortly.
Thanks!

[anothercoder-nik]

Ok looking into your PR.

[code-with-kishan]

Hi @anothercoder-nik 👋 sir,
I’ve implemented authentication enforcement for the sensitive backend in the #63 PR

please review it,

If any changes, improvements, or adjustments are required, please let me know — I’d be happy to update the PR accordingly.
Looking forward to your feedback. Thank you!