Authenticate Next.js Server Actions before mutations | Critiq Docs

#Metadata

Rule ID: ts.next.server-action-missing-local-auth
Severity: high
Confidence: 0.77
Languages: javascript, typescript
Presets: recommended, security, strict
Stability: experimental
Applies to: function
Tags: next, rules-catalog, security

#Why it matters

Server Actions behave like public POST endpoints and inherit the same authentication obligations as route handlers.

#Remediation

Call your auth/session helper before mutations and enforce ownership inside database predicates.

#Repository path

The generated metadata points to critiq-rules/libs/rules/catalog/rules/typescript/ts.next.server-action-missing-local-auth.rule.yaml.

Back to directory Open rule in repository