How I Almost Exposed My Own Blog Dashboard (Yes, This One)
So, I almost fucked up. Big time.
Let me set the scene. I've been working on this very blog you're reading, building out a custom dashboard to manage posts, tags, and categories. Being a sensible developer (or so I thought), I used my own open-source authentication library, mbkauthe, for the backend. It handles logins, sessions, and role-based permissions—everything you'd need.
Development was smooth. I'd log in, fiddle with the dashboard, create drafts, and everything worked perfectly. I was feeling pretty good about myself.
The "Oh Sh*t" Moment
I was reviewing my code with GitHub Copilot. I was scrolling through the dashboard API routes, feeling good about the clean structure, when Copilot casually dropped a comment in the chat:
"This API route does not seem to have any authentication middleware."
My heart literally skipped a beat. A cold wave of panic washed over me. No. Fucking. Way.
I immediately opened an incognito window and navigated to blog.mbktechstudio.com/dashboard.
The page loaded.
My admin dashboard, the one I used to manage this entire site, was sitting there in all its glory. No login prompt. No "Access Denied." Just full, unrestricted access for anyone who stumbled upon the URL.
I felt a pit in my stomach. I had been developing under the illusion of security because I was always logged in. The new dashboard route was added after the initial auth setup, and in my haste, I had forgotten to actually protect it. The mbkauthe library was imported and configured, its session system running quietly in the background, but its guardian middleware was never put on duty.
What Was at Stake?
So, what could someone have done? Thankfully, not everything. The dashboard was built specifically for blog management, so it wasn't a keys-to-the-kingdom scenario. A malicious user couldn't access my user database or server files.
But they could have:
- Deleted every single blog post.
- Added spam, malicious, or just plain embarrassing content.
- Updated existing posts with garbage.
Essentially, they could have completely trashed this blog and my professional presence attached to it. Not ideal.
The Fix (And Why It Was So Stupidly Simple)
The irony? The fix was embarrassingly simple. It took me all of two lines.
I rushed to my code editor, navigated to the dashboard routes file, and added this:
// The line that saved my ass
import { validateSessionAndRole } from 'mbkauthe';
// ... other router code ...
// This middleware now protects EVERY route in this router
router.use(validateSessionAndRole('SuperAdmin'));
Here's the actual commit that sealed the hole.
That's it. Just two lines. The powerful validateSessionAndRole middleware from my own library was now correctly applied to the entire router, checking for a valid session and the 'SuperAdmin' role on every request.
The dashboard had been publicly exposed for 7 to 10 days. I checked the content; nothing had been touched. By sheer luck, no bot or curious soul had found it and decided to wreak havoc.
Is This a Sign From God To Finally Use Testing Frameworks?
Let's be real. This entire shitshow could have been prevented with one simple integration test. You know, those things I've been putting off for "more important" development work.
Imagine if I had just written:
describe('Dashboard Routes', () => {
it('should return 401 Unauthorized for unauthenticated requests', async () => {
const response = await request(app).get('/dashboard');
expect(response.status).toBe(401);
});
});
That test would have screamed FAILED the moment I deployed the unprotected routes. It would have caught this in CI/CD, before the code ever touched production.
This isn't just a wake-up call—it's a full-blown fire alarm. I've been gambling with "manual testing" (aka, me clicking around while logged in) and hoping for the best. That's not development; that's praying.
So yes, this is absolutely a divine sign, or at the very least, a common-sense-shaped brick to the head. The time for excuses is over. Jest, Supertest, and a proper test suite are being added to this project now. Because next time, I might not be lucky enough to have Copilot catch my stupid mistakes.