Let's make auto routes disable

Auto routing is very dangerous, because it is very difficult to know all routes for human beings.
That is some unexpected routes to developers are automatically created and it may cause vulnerability.

In my experience, around 80% of Login/Auth tutorial articles have vulnerability that can bypass login.

That sounds like a problem with the tutorials rather than an inherent problem with CodeIgniter.

I don't like defining tons of routes, and much prefer to use autorouting, and frequently make use of the _remap function because it's quite useful when one is tweaking urls for SEO. If you have a controller and all of its methods should require some level of authentication, you can make a special AdminController whose init or constructor checks to make sure the user is authorized. If you have one or two methods in a controller that require authentication, it's quite easy to define an authentication-checking fn in your own base controller and expressly call it in any method that needs it.

I'd very much like to know more about how autorouting introduces security problems. Can anyone give more detail rather than simply linking a tutorial that has a security hole?

---

@ChicagoPhil Okay, Good question.

See this tutorial:
https://www.binaryboxtuts.com/php-tutori...ntication/

You will create app/Controllers/User.php.

And you will define routes:

PHP Code:

$routes->group("api", function ($routes) {
    $routes->post("register", "Register::index");
    $routes->post("login", "Login::index");
    $routes->get("users", "User::index", ['filter' => 'authFilter']);
}); 


If you will navigate to http://example.com/api/users (defined route), the authFilter will be applied.
But if you will navigate to http://example.com/user/index (auto route), the filter will not be applied.

This seems like a problem with using filters to enforce authentication rather than an autorouting problem. Just enforce the authentication in the controller or the method.