Critical Healthcare App Flaw: Spoofable X-User-ID Header Allows Trivial User Impersonation, Violates HIPAA

A fundamental authentication flaw in a healthcare application's backend exposes protected health information (PHI) to trivial impersonation attacks. The system currently authenticates users by blindly trusting a client-sent `X-User-ID` header. This means any user who knows or can guess a valid UUID—including an administrator's ID—can instantly impersonate any other user within the system, bypassing all access controls. For an application handling sensitive PHI, this constitutes a critical security vulnerability with direct HIPAA compliance implications.

The vulnerability is rooted in the complete absence of proper session management. As flagged by internal security and engineering personas, there is no use of signed tokens, no token expiry, and no mechanism for revocation. This architecture makes the system trivially exploitable. From an operational perspective, DevOps and SRE teams have no way to revoke compromised sessions or effectively detect abuse in system logs, while QA cannot meaningfully test access controls with a spoofable authentication method.

The required fix mandates a complete overhaul of the auth system. Acceptance criteria specify that login must return a signed JWT or session cookie with expiration, and all API endpoints must validate the token signature instead of a raw, user-provided ID. Server-side enforcement of token expiration is required, with invalid or expired tokens returning a 401 status. This transition is not merely a technical debt item but a urgent compliance and security imperative to close a gap that risks catastrophic data breaches and regulatory penalties.