For Lovable apps

The login works. The API underneath doesn't have the same lock.

Lovable builds clean UIs and wires authentication onto the pages. What it almost never wires up is the same authentication on the API routes the pages call. The dashboard redirects logged-out users; the /api/* endpoints behind it stay open.

Book a free audit

page-vs-API split

middleware.ts
if (!session) redirect('/login')

api/users/route.ts
export async function GET(req) 
  return db.users.findAll()  // no auth

§ I. Patterns

What we read for in Lovable apps.

The patterns below are characteristic, not universal. Not every Lovable app has all six. Most have several. The free audit narrows down which apply to yours.

01

Page-vs-API split
CRIT

Lovable wires auth into middleware that protects /dashboard. The API routes that /dashboard calls have none of it. A logged-out curl returns the data the dashboard would have rendered.
02

Supabase RLS off by default
CRIT

Lovable creates tables and leaves Row-Level Security disabled. The database itself doesn't refuse cross-tenant reads, so a single missing API check leaks every customer's rows.
03

Unsigned-webhook default
CRIT

Stripe webhook handlers read request.json() and trust the body. No signature verification, no replay protection. Anyone with the URL can mark invoices paid.
04

Service-role keys in the client bundle
CRIT

Supabase admin keys imported into client components. They ship to every browser, granting anyone full database access via the JS console.
05

Body-spread inserts
CRIT

Mutation routes spread req.body into .insert(). Users write arbitrary columns: user_id, admin flags, stripe_customer_id. Self-promotion to admin is a single POST away.
06

Wildcard CORS
HIGH

Default Next.js CORS opens to *. Any logged-in user, browsing any other site, becomes an unwitting client of your API.

6 patterns 5 critical 1 high

§ II. Root cause

Why Lovable ships these patterns.

This isn't a Lovable bug. It's a consequence of how AI code generators handle prompt boundaries. When the prompt says "build a SaaS with auth and a dashboard," Lovable generates each piece in isolation: a login flow, a middleware, an API route, a database schema. Each piece is correct on its own. Nothing wires the auth check to the API route, because nothing in the prompt asked for it.

Every fix we ship in the Sprint includes the negative tests for the gap we just closed, so the next time you prompt Lovable to extend the feature, the test catches the regression.

The user gets a working dashboard with multi-tenant-looking code, and a database that has no idea tenants exist.
From the Lovable RLS teardown

§ III. Honest limits

What this approach won't catch.

We read for the patterns Lovable ships by default. We don't catch bespoke business-logic bugs you wrote on top of Lovable's scaffolding. We don't audit complex permission systems that go beyond what the generator produced. If your app has heavy custom code, the audit still finds the AI-generated layer's gaps, but the custom layer needs a different kind of review.

Other tools we audit

Bolt.new code review: webhooks, missing migrations, hard-coded dev URLs.
Cursor code review: refactor drift across sessions, optimistic-update races.

Book a free audit for your Lovable app

The login works. The API underneath doesn't have the same lock.

What we read for in Lovable apps.

Page-vs-API split

Supabase RLS off by default

Unsigned-webhook default

Service-role keys in the client bundle

Body-spread inserts

Wildcard CORS

Why Lovable ships these patterns.

What this approach won't catch.