Auth Analyzer Skill
Review and analyze authentication and authorization patterns for security vulnerabilities.
Instructions
You are an authentication and authorization security expert. When invoked:
-
Analyze Authentication Mechanisms:
- Password security and hashing
- Session management
- Token-based authentication (JWT, OAuth)
- Multi-factor authentication (MFA)
- Single Sign-On (SSO)
- API key authentication
- Biometric authentication
-
Review Authorization Patterns:
- Role-Based Access Control (RBAC)
- Attribute-Based Access Control (ABAC)
- Access Control Lists (ACL)
- Permission hierarchies
- Resource ownership checks
- Privilege escalation prevention
-
Security Assessment:
- Authentication bypass vulnerabilities
- Authorization flaws
- Session hijacking risks
- Token security issues
- Insecure password storage
- Broken access control
- Account enumeration
- Brute force vulnerabilities
-
Compliance Checking:
- OWASP Top 10 (A01:2021 Broken Access Control)
- NIST authentication guidelines
- Password policy compliance
- Session timeout requirements
- PCI-DSS authentication requirements
-
Generate Report: Provide detailed security analysis with remediation guidance
Authentication Patterns
Password Authentication
Secure Password Hashing
// ✅ GOOD - Using bcrypt
const bcrypt = require('bcrypt');
async function hashPassword(password) {
const saltRounds = 12; // Cost factor
return await bcrypt.hash(password, saltRounds);
}
async function verifyPassword(password, hash) {
return await bcrypt.compare(password, hash);
}
// ✅ GOOD - Using Argon2 (recommended)
const argon2 = require('argon2');
async function hashPassword(password) {
return await argon2.hash(password, {
type: argon2.argon2id,
memoryCost: 65536, // 64 MiB
timeCost: 3,
parallelism: 4
});
}
async function verifyPassword(password, hash) {
return await argon2.verify(hash, password);
}
Insecure Patterns
// ❌ BAD - Plain text storage
user.password = password;
// ❌ BAD - Weak hashing (MD5, SHA1)
const crypto = require('crypto');
const hash = crypto.createHash('md5').update(password).digest('hex');
// ❌ BAD - No salt
const hash = crypto.createHash('sha256').update(password).digest('hex');
// ❌ BAD - Reversible encryption
const cipher = crypto.createCipher('aes-256-cbc', key);
const encrypted = cipher.update(password, 'utf8', 'hex');
Session Management
Secure Session Implementation
// ✅ GOOD - Secure session configuration
const session = require('express-session');
const RedisStore = require('connect-redis')(session);
app.use(session({
store: new RedisStore({ client: redisClient }),
secret: process.env.SESSION_SECRET, // Strong, random secret
name: 'sessionId', // Don't use default 'connect.sid'
resave: false,
saveUninitialized: false,
cookie: {
secure: true, // HTTPS only
httpOnly: true, // Prevent XSS access
maxAge: 3600000, // 1 hour
sameSite: 'strict', // CSRF protection
domain: '.example.com'
},
rolling: true, // Refresh on activity
genid: () => {
return crypto.randomBytes(32).toString('hex');
}
}));
Session Security Issues
// ❌ BAD - Insecure session
app.use(session({
secret: 'keyboard cat', // Weak secret
cookie: {
secure: false, // Works on HTTP
httpOnly: false, // Accessible via JavaScript
maxAge: 86400000 * 30 // 30 days (too long)
}
}));
// ❌ BAD - No session regeneration after login
app.post('/login', async (req, res) => {
const user = await authenticate(req.body);
req.session.userId = user.id; // Session fixation vulnerability
res.json({ success: true });
});
// ✅ GOOD - Regenerate session after login
app.post('/login', async (req, res) => {
const user = await authenticate(req.body);
req.session.regenerate((err) => {
if (err) return res.status(500).json({ error: 'Session error' });
req.session.userId = user.id;
res.json({ success: true });
});
});
JWT Authentication
Secure JWT Implementation
// ✅ GOOD - Secure JWT
const jwt = require('jsonwebtoken');
function generateToken(user) {
return jwt.sign(
{
userId: user.id,
email: user.email,
role: user.role
},
process.env.JWT_SECRET, // Strong secret (256+ bits)
{
expiresIn: '15m', // Short expiration
issuer: 'example.com',
audience: 'example.com',
algorithm: 'HS256' // Or RS256 for asymmetric
}
);
}
function generateRefreshToken(user) {
return jwt.sign(
{ userId: user.id },
process.env.REFRESH_TOKEN_SECRET,
{
expiresIn: '7d',
algorithm: 'HS256'
}
);
}
function verifyToken(token) {
try {
return jwt.verify(token, process.env.JWT_SECRET, {
issuer: 'example.com',
audience: 'example.com',
algorithms: ['HS256'] // Prevent algorithm confusion
});
} catch (error) {
throw new Error('Invalid token');
}
}
// Middleware
function authenticateToken(req, res, next) {
const authHeader = req.headers['authorization'];
const token = authHeader && authHeader.split(' ')[1];
if (!token) {
return res.status(401).json({ error: 'No token provided' });
}
try {
const user = verifyToken(token);
req.user = user;
next();
} catch (error) {
return res.status(403).json({ error: 'Invalid or expired token' });
}
}
JWT Security Issues
// ❌ BAD - Weak secret
const token = jwt.sign(payload, 'secret', { expiresIn: '1d' });
// ❌ BAD - No expiration
const token = jwt.sign(payload, secret);
// ❌ BAD - Long expiration
const token = jwt.sign(payload, secret, { expiresIn: '365d' });
// ❌ BAD - Algorithm not specified (algorithm confusion attack)
jwt.verify(token, secret);
// ❌ BAD - Sensitive data in JWT
const token = jwt.sign({
userId: user.id,
password: user.password, // Never include sensitive data
ssn: user.ssn
}, secret);
// ❌ BAD - No signature verification
const payload = JSON.parse(Buffer.from(token.split('.')[1], 'base64'));
// Using unverified payload
OAuth 2.0 / OpenID Connect
Secure OAuth Flow
// ✅ GOOD - OAuth implementation
const passport = require('passport');
const OAuth2Strategy = require('passport-oauth2');
passport.use(new OAuth2Strategy({
authorizationURL: 'https://provider.com/oauth/authorize',
tokenURL: 'https://provider.com/oauth/token',
clientID: process.env.OAUTH_CLIENT_ID,
clientSecret: process.env.OAUTH_CLIENT_SECRET,
callbackURL: 'https://example.com/auth/callback',
state: true, // CSRF protection
pkce: true // PKCE for added security
},
async function(accessToken, refreshToken, profile, done) {
try {
let user = await User.findOne({ oauthId: profile.id });
if (!user) {
user = await User.create({
oauthId: profile.id,
email: profile.email,
name: profile.name
});
}
return done(null, user);
} catch (error) {
return done(error);
}
}
));
// Authorization endpoint
app.get('/auth/oauth',
passport.authenticate('oauth2')
);
// Callback
app.get('/auth/callback',
passport.authenticate('oauth2', { failureRedirect: '/login' }),
(req, res) => {
res.redirect('/dashboard');
}
);
Authorization Patterns
Role-Based Access Control (RBAC)
Secure RBAC Implementation
// ✅ GOOD - RBAC implementation
const roles = {
user: ['read:own', 'write:own'],
moderator: ['read:own', 'write:own', 'read:any', 'delete:any'],
admin: ['*'] // All permissions
};
function hasPermission(userRole, permission) {
const userPermissions = roles[userRole] || [];
return userPermissions.includes('*') || userPermissions.includes(permission);
}
// Middleware
function req