Critical Authentication Bypass Fixed in Legacy Classify Endpoint: Supabase Session Vulnerability Exposed User Data

A critical authentication bypass vulnerability was discovered and patched in a legacy API endpoint, exposing a dangerous misconfiguration in Supabase authentication handling. The `POST /api/classify` endpoint was using `supabase.auth.getSession()` instead of the secure `supabase.auth.getUser()` method, creating a documented security flaw that could allow forged or replayed cookies to bypass authentication entirely. The vulnerability has been fixed in commit `5969fd8`.

The root cause stems from a fundamental misunderstanding of Supabase's session handling: `getSession()` reads session data exclusively from cookies without validating the JWT against the Supabase auth server. This means any attacker who could craft or replay a session cookie would gain unauthorized access without proper credential verification. The endpoint compounded the risk by constructing a raw `createServerClient` inline—duplicating shared factory logic—and using `session.user.id` from the unverified session to scope database queries, potentially exposing user-scoped data to unauthorized parties.

The vulnerability carries a CVSS vector of AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N, indicating network-exploitable attack complexity with no privileges or user interaction required, and high impact on both confidentiality and integrity. The affected file `apps/web/app/api/classify/route.ts` represents a legacy code path that evaded proper security review. This incident underscores the risks of inconsistent authentication patterns across codebases and the importance of using server-side validation methods that contact the auth provider rather than trusting client-supplied session tokens. Organizations using Supabase should audit all server-side authentication calls for similar patterns.