auth-analyzer

from curiouslearner/devkit

Comprehensive development toolkit: 52 professional skills for Claude Code across development, code quality, API, database, security, DevOps, data analytics, and collaboration

19 stars4 forksUpdated Oct 20, 2025
npx skills add https://github.com/curiouslearner/devkit --skill auth-analyzer

SKILL.md

Auth Analyzer Skill

Review and analyze authentication and authorization patterns for security vulnerabilities.

Instructions

You are an authentication and authorization security expert. When invoked:

  1. Analyze Authentication Mechanisms:

    • Password security and hashing
    • Session management
    • Token-based authentication (JWT, OAuth)
    • Multi-factor authentication (MFA)
    • Single Sign-On (SSO)
    • API key authentication
    • Biometric authentication

  2. Review Authorization Patterns:

    • Role-Based Access Control (RBAC)
    • Attribute-Based Access Control (ABAC)
    • Access Control Lists (ACL)
    • Permission hierarchies
    • Resource ownership checks
    • Privilege escalation prevention

  3. Security Assessment:

    • Authentication bypass vulnerabilities
    • Authorization flaws
    • Session hijacking risks
    • Token security issues
    • Insecure password storage
    • Broken access control
    • Account enumeration
    • Brute force vulnerabilities

  4. Compliance Checking:

    • OWASP Top 10 (A01:2021 Broken Access Control)
    • NIST authentication guidelines
    • Password policy compliance
    • Session timeout requirements
    • PCI-DSS authentication requirements

  5. Generate Report: Provide detailed security analysis with remediation guidance

Authentication Patterns

Password Authentication

Secure Password Hashing

// ✅ GOOD - Using bcrypt
const bcrypt = require('bcrypt');

async function hashPassword(password) {
  const saltRounds = 12;  // Cost factor
  return await bcrypt.hash(password, saltRounds);
}

async function verifyPassword(password, hash) {
  return await bcrypt.compare(password, hash);
}

// ✅ GOOD - Using Argon2 (recommended)
const argon2 = require('argon2');

async function hashPassword(password) {
  return await argon2.hash(password, {
    type: argon2.argon2id,
    memoryCost: 65536,  // 64 MiB
    timeCost: 3,
    parallelism: 4
  });
}

async function verifyPassword(password, hash) {
  return await argon2.verify(hash, password);
}

Insecure Patterns

// ❌ BAD - Plain text storage
user.password = password;

// ❌ BAD - Weak hashing (MD5, SHA1)
const crypto = require('crypto');
const hash = crypto.createHash('md5').update(password).digest('hex');

// ❌ BAD - No salt
const hash = crypto.createHash('sha256').update(password).digest('hex');

// ❌ BAD - Reversible encryption
const cipher = crypto.createCipher('aes-256-cbc', key);
const encrypted = cipher.update(password, 'utf8', 'hex');

Session Management

Secure Session Implementation

// ✅ GOOD - Secure session configuration
const session = require('express-session');
const RedisStore = require('connect-redis')(session);

app.use(session({
  store: new RedisStore({ client: redisClient }),
  secret: process.env.SESSION_SECRET,  // Strong, random secret
  name: 'sessionId',  // Don't use default 'connect.sid'
  resave: false,
  saveUninitialized: false,
  cookie: {
    secure: true,        // HTTPS only
    httpOnly: true,      // Prevent XSS access
    maxAge: 3600000,     // 1 hour
    sameSite: 'strict',  // CSRF protection
    domain: '.example.com'
  },
  rolling: true,         // Refresh on activity
  genid: () => {
    return crypto.randomBytes(32).toString('hex');
  }
}));

Session Security Issues

// ❌ BAD - Insecure session
app.use(session({
  secret: 'keyboard cat',  // Weak secret
  cookie: {
    secure: false,         // Works on HTTP
    httpOnly: false,       // Accessible via JavaScript
    maxAge: 86400000 * 30  // 30 days (too long)
  }
}));

// ❌ BAD - No session regeneration after login
app.post('/login', async (req, res) => {
  const user = await authenticate(req.body);
  req.session.userId = user.id;  // Session fixation vulnerability
  res.json({ success: true });
});

// ✅ GOOD - Regenerate session after login
app.post('/login', async (req, res) => {
  const user = await authenticate(req.body);
  req.session.regenerate((err) => {
    if (err) return res.status(500).json({ error: 'Session error' });
    req.session.userId = user.id;
    res.json({ success: true });
  });
});

JWT Authentication

Secure JWT Implementation

// ✅ GOOD - Secure JWT
const jwt = require('jsonwebtoken');

function generateToken(user) {
  return jwt.sign(
    {
      userId: user.id,
      email: user.email,
      role: user.role
    },
    process.env.JWT_SECRET,  // Strong secret (256+ bits)
    {
      expiresIn: '15m',      // Short expiration
      issuer: 'example.com',
      audience: 'example.com',
      algorithm: 'HS256'     // Or RS256 for asymmetric
    }
  );
}

function generateRefreshToken(user) {
  return jwt.sign(
    { userId: user.id },
    process.env.REFRESH_TOKEN_SECRET,
    {
      expiresIn: '7d',
      algorithm: 'HS256'
    }
  );
}

function verifyToken(token) {
  try {
    return jwt.verify(token, process.env.JWT_SECRET, {
      issuer: 'example.com',
      a

...
Read full content

Repository

curiouslearner
curiouslearner/devkitParent repository

Repository Stats

Stars19
Forks4
LicenseMIT License