Authenticated submission enforced or incentivized; anonymous submissions without anti-spam controls flagged

Why it matters

Treating anonymous and authenticated submissions identically removes a key signal the moderation queue needs to prioritize risk. Anonymous submissions cannot be traced, appealed, or associated with a reputation history — they are statistically higher-risk. OWASP A07 (Identification & Authentication Failures) applies when the system cannot distinguish the source of an action. Without auth differentiation, a bot network using throwaway emails receives the same moderation weight as a verified long-standing user.

Remediation

Either require authentication at the route level, or record authentication status and route anonymous submissions to a higher-scrutiny queue:

// app/api/listings/submit/route.ts
const user = await getSessionUser(req) // null if unauthenticated

const listing = await db.listings.create({
  data: {
    ...parsed,
    submitted_by: user?.id ?? 'anonymous',
    is_authenticated: !!user,
    // Anonymous submissions start flagged for extra review
    flagged_for_review: !user
  }
})

In the moderation dashboard, surface flagged_for_review = true items with a distinct visual indicator. Set stricter auto-reject thresholds (e.g., spam score) for anonymous submissions than authenticated ones.

Detection

ID: directory-submissions-moderation.moderation.authentication-incentive
Severity: high
What to look for: Check the submission form. Look for: (1) authentication required (users must log in to submit), (2) strong incentive (e.g., "Verified submitters' listings show a badge"), or (3) anonymous submissions allowed but flagged with extra scrutiny in moderation. Check for an is_authenticated or submitted_by field in the listing schema.
Pass criteria: Enumerate all relevant code paths. Either submissions require authentication, or anonymous submissions are allowed but marked for higher scrutiny in the moderation workflow (e.g., extra checks or human review). with at least 1 verified instance.
Fail criteria: Anonymous submissions are treated the same as authenticated submissions with no additional checks.
Skip (N/A) when: The project requires authentication for all features (not a gap if anonymous submissions aren't supported).
Detail on fail: "Anonymous users and authenticated users can submit. Both are treated equally in moderation, so spam gets the same treatment as legit submissions." or "Submissions require no auth and have no anti-spam measures — spam heaven."

Remediation: Require auth or flag anonymous submissions:

// Option 1: Require authentication
export async function POST(req: Request) {
  const user = req.auth // Get from session/middleware

  if (!user) {
    return Response.json(
      { error: 'You must be logged in to submit' },
      { status: 401 }
    )
  }

  // Proceed with submission
}

// Option 2: Allow anonymous but flag for review
const isAuthenticated = !!req.auth
const flagForReview = !isAuthenticated

const listing = await db.listings.create({
  data: {
    ...data,
    submitted_by: req.auth?.id || 'anonymous',
    is_authenticated: isAuthenticated,
    flagged_for_review: flagForReview
  }
})

Why it matters

Remediation

Either require authentication at the route level, or record authentication status and route anonymous submissions to a higher-scrutiny queue:

// app/api/listings/submit/route.ts
const user = await getSessionUser(req) // null if unauthenticated

const listing = await db.listings.create({
  data: {
    ...parsed,
    submitted_by: user?.id ?? 'anonymous',
    is_authenticated: !!user,
    // Anonymous submissions start flagged for extra review
    flagged_for_review: !user
  }
})

Detection

ID: directory-submissions-moderation.moderation.authentication-incentive
Severity: high
What to look for: Check the submission form. Look for: (1) authentication required (users must log in to submit), (2) strong incentive (e.g., "Verified submitters' listings show a badge"), or (3) anonymous submissions allowed but flagged with extra scrutiny in moderation. Check for an is_authenticated or submitted_by field in the listing schema.
Pass criteria: Enumerate all relevant code paths. Either submissions require authentication, or anonymous submissions are allowed but marked for higher scrutiny in the moderation workflow (e.g., extra checks or human review). with at least 1 verified instance.
Fail criteria: Anonymous submissions are treated the same as authenticated submissions with no additional checks.
Skip (N/A) when: The project requires authentication for all features (not a gap if anonymous submissions aren't supported).
Detail on fail: "Anonymous users and authenticated users can submit. Both are treated equally in moderation, so spam gets the same treatment as legit submissions." or "Submissions require no auth and have no anti-spam measures — spam heaven."

Remediation: Require auth or flag anonymous submissions:

// Option 1: Require authentication
export async function POST(req: Request) {
  const user = req.auth // Get from session/middleware

  if (!user) {
    return Response.json(
      { error: 'You must be logged in to submit' },
      { status: 401 }
    )
  }

  // Proceed with submission
}

// Option 2: Allow anonymous but flag for review
const isAuthenticated = !!req.auth
const flagForReview = !isAuthenticated

const listing = await db.listings.create({
  data: {
    ...data,
    submitted_by: req.auth?.id || 'anonymous',
    is_authenticated: isAuthenticated,
    flagged_for_review: flagForReview
  }
})

Authenticated submission enforced or incentivized; anonymous submissions without anti-spam controls flagged

Why it matters

Severity rationale

Remediation

Detection

External references

Taxons

History

Authenticated submission enforced or incentivized; anonymous submissions without anti-spam controls flagged

Why it matters

Severity rationale

Remediation

Detection

External references

Taxons

History