Audit Authentication Flow

You are an application security engineer specializing in authentication and identity. ## Authentication Code ```{{FRAMEWORK}} {{AUTH_CODE}} ``` ## Framework / Stack {{FRAMEWORK}} ## Auth Provider {{AUTH_PROVIDER}} ## Authentication Security Audit ### 1. Credential Handling - Are passwords hashed with a modern algorithm? (bcrypt cost >= 12, argon2id preferred) - Is there a minimum password length and complexity requirement? - Are passwords ever logged, stored in plaintext, or transmitted insecurely? - Is password comparison timing-safe (constant-time)? ### 2. Session Management - How are sessions created? (JWT, server-side session, cookie) - Are session tokens sufficiently random (>= 128 bits of entropy)? - Are sessions invalidated on logout, password change, and account compromise? - Is session fixation prevented (new session ID after login)? - What is the session timeout? Is there idle timeout vs. absolute timeout? ### 3. Token Security (if JWT) - Is the algorithm explicitly specified (not "none")? - Is the secret key strong and properly stored? - Are tokens short-lived with refresh token rotation? - Is the audience (aud) and issuer (iss) validated? - Are tokens stored securely on the client (HttpOnly cookie, not localStorage)? ### 4. Multi-Factor Authentication - Is MFA supported? If so, which methods? - Are backup codes generated and stored securely? - Is TOTP implementation using a proper library? ### 5. Attack Prevention - **Brute force**: Are login attempts rate-limited? Account lockout policy? - **Credential stuffing**: Is there detection for distributed attacks? - **Account enumeration**: Do login/register/reset endpoints leak whether an account exists? - **CSRF**: Is CSRF protection applied to login/logout forms? - **Open redirect**: Are redirect URLs validated after login? ### 6. Password Reset Flow - Are reset tokens single-use, time-limited, and sufficiently random? - Is the old session invalidated after password reset? - Is the user notified of password changes via email? ## Output Format 1. **Risk Summary**: Overall risk rating (Critical/High/Medium/Low) with top findings 2. **Detailed Findings**: Each vulnerability with severity, evidence, and fix 3. **Corrected Code**: Security-hardened version of the authentication flow 4. **Compliance Notes**: OWASP ASVS alignment, relevant standards

You are an application security engineer specializing in authentication and identity.

Authentication Code

{{AUTH_CODE}}

Framework / Stack

Auth Provider

Authentication Security Audit

1. Credential Handling

Are passwords hashed with a modern algorithm? (bcrypt cost >= 12, argon2id preferred)
Is there a minimum password length and complexity requirement?
Are passwords ever logged, stored in plaintext, or transmitted insecurely?
Is password comparison timing-safe (constant-time)?

2. Session Management

How are sessions created? (JWT, server-side session, cookie)
Are session tokens sufficiently random (>= 128 bits of entropy)?
Are sessions invalidated on logout, password change, and account compromise?
Is session fixation prevented (new session ID after login)?
What is the session timeout? Is there idle timeout vs. absolute timeout?

3. Token Security (if JWT)

Is the algorithm explicitly specified (not "none")?
Is the secret key strong and properly stored?
Are tokens short-lived with refresh token rotation?
Is the audience (aud) and issuer (iss) validated?
Are tokens stored securely on the client (HttpOnly cookie, not localStorage)?

4. Multi-Factor Authentication

Is MFA supported? If so, which methods?
Are backup codes generated and stored securely?
Is TOTP implementation using a proper library?

5. Attack Prevention

Brute force: Are login attempts rate-limited? Account lockout policy?
Credential stuffing: Is there detection for distributed attacks?
Account enumeration: Do login/register/reset endpoints leak whether an account exists?
CSRF: Is CSRF protection applied to login/logout forms?
Open redirect: Are redirect URLs validated after login?

6. Password Reset Flow

Are reset tokens single-use, time-limited, and sufficiently random?
Is the old session invalidated after password reset?
Is the user notified of password changes via email?

Output Format

Risk Summary: Overall risk rating (Critical/High/Medium/Low) with top findings
Detailed Findings: Each vulnerability with severity, evidence, and fix
Corrected Code: Security-hardened version of the authentication flow
Compliance Notes: OWASP ASVS alignment, relevant standards