Reviewing small SaaS codebases, the same auth mistakes show up again and again — and auth is the one area where a mistake isn’t a bug, it’s a breach. None of these are exotic; they’re the basics, skipped under deadline pressure.
Trusting the client
The frontend hides the admin button, so the team assumes admins are protected — but the API endpoint behind it has no check. Anyone who calls it directly gets through. Every protected endpoint must verify permissions on the server. Hiding UI is not security.
Weak sessions and leaky logins
Tokens that never expire, sessions that can’t be revoked, or JWTs storing data the client can tamper with all turn one mistake into a permanent one. Use short-lived tokens with refresh, and make sure you can invalidate a session server-side.
A login form that says “wrong password” for real emails and “no such user” for others hands attackers a list of valid accounts — return the same generic message either way. And without rate limiting on login, attackers can guess passwords thousands of times a minute; limit attempts per account and per IP.
Finally, store secrets properly — a strong, slow password hash, and API keys treated like passwords, never plain text. Get authorization checks onto the server, sessions revocable, and login rate-limited, and you’ve closed the holes that sink most small SaaS apps.