TL;DR

AI tools generate authenticated routes but routinely skip ownership validation -- any logged-in user can access any resource by ID

This is CWE-639 (IDOR / Broken Access Control) and it's the most common bug class I find in Cursor-generated APIs

One check after every findById call fixes the entire pattern

I reviewed a friend's side project last month. Solid app -- JWT auth, protected routes, refresh token rotation. Then I ran a quick test: logged in as User A, grabbed a document ID from the URL, opened a private tab as User B, and requested the same endpoint.