Fix Shadow API Exposure in Nuxt

Nuxt's file-based routing is a double-edged sword. Shadow APIs emerge when developers drop sensitive logic into the `server/api/` directory assuming it's 'internal' or 'hidden.' If a file exists in that directory, it is publicly routable. Relying on obscurity is a failure. Security must be explicit, enforcing authentication and moving non-public logic out of the routable path.

The Vulnerable Pattern

// server/api/internal/debug-stats.ts
export default defineEventHandler((event) => {
  // VULNERABILITY: No authorization check.
  // The developer assumes this 'internal' path isn't discoverable by scanners.
  return {
    database_url: process.env.DATABASE_URL,
    active_sessions: 42,
    system_load: process.loadavg()
  }
})

The Secure Implementation

To kill Shadow APIs in Nuxt: 1. Audit your `server/api` directory; if it's there, it's public. 2. Move sensitive logic/utilities to `server/utils` or `server/lib`—these are auto-imported but NOT routable. 3. Implement a global server middleware in `server/middleware/auth.ts` to enforce a 'deny-by-default' policy for any sensitive sub-paths. 4. Never leak environment variables like connection strings in raw API responses.

// server/api/internal/debug-stats.ts
import { getServerSession } from '#auth'
export default defineEventHandler(async (event) => {
const session = await getServerSession(event)
// REQUIREMENT: Explicit Auth Check
if (!session || session.user.role !== ‘admin’) {
throw createError({
statusCode: 403,
statusMessage: ‘Forbidden: Shadow API exposure blocked.’
})
}
return {
active_sessions: 42,
system_load: process.loadavg()
}
})