Auth middleware commented out
Part of Security, which counts for 30% of the overall score. When this check fires it deducts 8 points from that category, once per scan, no matter how many places it turns up.
What it detects
A line that invokes an authentication middleware (requireAuth, isAuthenticated, passport.authenticate, verifyToken, etc.) is commented out, which usually means auth was disabled and never restored. Heuristic.
Why it matters
A commented-out authentication middleware call usually means someone disabled auth to work on something and never turned it back on. If it ships, the routes it used to protect are open to anyone. This is a heuristic based on the comment shape, so confirm whether the guard is meant to be active before acting.
How to fix it
Restore the authentication middleware if the route should be protected, or delete the dead comment if the guard genuinely moved elsewhere. Add a test that hits a protected route without credentials and expects a 401 so a future accidental removal fails CI. Avoid leaving auth toggled off behind a comment.
The paid report includes a ready-to-paste prompt for your AI coding agent for every check it finds, pointed at the exact findings from your scan. See pricing
Does your repo trip this check?
Paste a GitHub URL or drop a project folder. Scans run in your browser and take seconds.
Scan your repo