| name | auth-analyzer |
| description | Review and analyze authentication and authorization patterns for security vulnerabilities. |
Auth Analyzer Skill
Review and analyze authentication and authorization patterns for security vulnerabilities.
Instructions
You are an authentication and authorization security expert. When invoked:
Analyze Authentication Mechanisms:
- Password security and hashing
- Session management
- Token-based authentication (JWT, OAuth)
- Multi-factor authentication (MFA)
- Single Sign-On (SSO)
- API key authentication
- Biometric authentication
Review Authorization Patterns:
- Role-Based Access Control (RBAC)
- Attribute-Based Access Control (ABAC)
- Access Control Lists (ACL)
- Permission hierarchies
- Resource ownership checks
- Privilege escalation prevention
Security Assessment:
- Authentication bypass vulnerabilities
- Authorization flaws
- Session hijacking risks
- Token security issues
- Insecure password storage
- Broken access control
- Account enumeration
- Brute force vulnerabilities
Compliance Checking:
- OWASP Top 10 (A01:2021 Broken Access Control)
- NIST authentication guidelines
- Password policy compliance
- Session timeout requirements
- PCI-DSS authentication requirements
Generate Report: Provide detailed security analysis with remediation guidance
Authentication Patterns
Password Authentication
Secure Password Hashing
// ✅ GOOD - Using bcrypt
const bcrypt = require('bcrypt');
async function hashPassword(password) {
const saltRounds = 12; // Cost factor
return await bcrypt.hash(password, saltRounds);
}
async function verifyPassword(password, hash) {
return await bcrypt.compare(password, hash);
}
// ✅ GOOD - Using Argon2 (recommended)
const argon2 = require('argon2');
async function hashPassword(password) {
return await argon2.hash(password, {
type: argon2.argon2id,
memoryCost: 65536, // 64 MiB
timeCost: 3,
parallelism: 4
});
}
async function verifyPassword(password, hash) {
return await argon2.verify(hash, password);
}
Insecure Patterns
// ❌ BAD - Plain text storage
user.password = password;
// ❌ BAD - Weak hashing (MD5, SHA1)
const crypto = require('crypto');
const hash = crypto.createHash('md5').update(password).digest('hex');
// ❌ BAD - No salt
const hash = crypto.createHash('sha256').update(password).digest('hex');
// ❌ BAD - Reversible encryption
const cipher = crypto.createCipher('aes-256-cbc', key);
const encrypted = cipher.update(password, 'utf8', 'hex');
Session Management
Secure Session Implementation
// ✅ GOOD - Secure session configuration
const session = require('express-session');
const RedisStore = require('connect-redis')(session);
app.use(session({
store: new RedisStore({ client: redisClient }),
secret: process.env.SESSION_SECRET, // Strong, random secret
name: 'sessionId', // Don't use default 'connect.sid'
resave: false,
saveUninitialized: false,
cookie: {
secure: true, // HTTPS only
httpOnly: true, // Prevent XSS access
maxAge: 3600000, // 1 hour
sameSite: 'strict', // CSRF protection
domain: '.example.com'
},
rolling: true, // Refresh on activity
genid: () => {
return crypto.randomBytes(32).toString('hex');
}
}));
Session Security Issues
// ❌ BAD - Insecure session
app.use(session({
secret: 'keyboard cat', // Weak secret
cookie: {
secure: false, // Works on HTTP
httpOnly: false, // Accessible via JavaScript
maxAge: 86400000 * 30 // 30 days (too long)
}
}));
// ❌ BAD - No session regeneration after login
app.post('/login', async (req, res) => {
const user = await authenticate(req.body);
req.session.userId = user.id; // Session fixation vulnerability
res.json({ success: true });
});
// ✅ GOOD - Regenerate session after login
app.post('/login', async (req, res) => {
const user = await authenticate(req.body);
req.session.regenerate((err) => {
if (err) return res.status(500).json({ error: 'Session error' });
req.session.userId = user.id;
res.json({ success: true });
});
});
JWT Authentication
Secure JWT Implementation
// ✅ GOOD - Secure JWT
const jwt = require('jsonwebtoken');
function generateToken(user) {
return jwt.sign(
{
userId: user.id,
email: user.email,
role: user.role
},
process.env.JWT_SECRET, // Strong secret (256+ bits)
{
expiresIn: '15m', // Short expiration
issuer: 'example.com',
audience: 'example.com',
algorithm: 'HS256' // Or RS256 for asymmetric
}
);
}
function generateRefreshToken(user) {
return jwt.sign(
{ userId: user.id },
process.env.REFRESH_TOKEN_SECRET,
{
expiresIn: '7d',
algorithm: 'HS256'
}
);
}
function verifyToken(token) {
try {
return jwt.verify(token, process.env.JWT_SECRET, {
issuer: 'example.com',
audience: 'example.com',
algorithms: ['HS256'] // Prevent algorithm confusion
});
} catch (error) {
throw new Error('Invalid token');
}
}
// Middleware
function authenticateToken(req, res, next) {
const authHeader = req.headers['authorization'];
const token = authHeader && authHeader.split(' ')[1];
if (!token) {
return res.status(401).json({ error: 'No token provided' });
}
try {
const user = verifyToken(token);
req.user = user;
next();
} catch (error) {
return res.status(403).json({ error: 'Invalid or expired token' });
}
}
JWT Security Issues
// ❌ BAD - Weak secret
const token = jwt.sign(payload, 'secret', { expiresIn: '1d' });
// ❌ BAD - No expiration
const token = jwt.sign(payload, secret);
// ❌ BAD - Long expiration
const token = jwt.sign(payload, secret, { expiresIn: '365d' });
// ❌ BAD - Algorithm not specified (algorithm confusion attack)
jwt.verify(token, secret);
// ❌ BAD - Sensitive data in JWT
const token = jwt.sign({
userId: user.id,
password: user.password, // Never include sensitive data
ssn: user.ssn
}, secret);
// ❌ BAD - No signature verification
const payload = JSON.parse(Buffer.from(token.split('.')[1], 'base64'));
// Using unverified payload
OAuth 2.0 / OpenID Connect
Secure OAuth Flow
// ✅ GOOD - OAuth implementation
const passport = require('passport');
const OAuth2Strategy = require('passport-oauth2');
passport.use(new OAuth2Strategy({
authorizationURL: 'https://provider.com/oauth/authorize',
tokenURL: 'https://provider.com/oauth/token',
clientID: process.env.OAUTH_CLIENT_ID,
clientSecret: process.env.OAUTH_CLIENT_SECRET,
callbackURL: 'https://example.com/auth/callback',
state: true, // CSRF protection
pkce: true // PKCE for added security
},
async function(accessToken, refreshToken, profile, done) {
try {
let user = await User.findOne({ oauthId: profile.id });
if (!user) {
user = await User.create({
oauthId: profile.id,
email: profile.email,
name: profile.name
});
}
return done(null, user);
} catch (error) {
return done(error);
}
}
));
// Authorization endpoint
app.get('/auth/oauth',
passport.authenticate('oauth2')
);
// Callback
app.get('/auth/callback',
passport.authenticate('oauth2', { failureRedirect: '/login' }),
(req, res) => {
res.redirect('/dashboard');
}
);
Authorization Patterns
Role-Based Access Control (RBAC)
Secure RBAC Implementation
// ✅ GOOD - RBAC implementation
const roles = {
user: ['read:own', 'write:own'],
moderator: ['read:own', 'write:own', 'read:any', 'delete:any'],
admin: ['*'] // All permissions
};
function hasPermission(userRole, permission) {
const userPermissions = roles[userRole] || [];
return userPermissions.includes('*') || userPermissions.includes(permission);
}
// Middleware
function requirePermission(permission) {
return (req, res, next) => {
if (!req.user) {
return res.status(401).json({ error: 'Not authenticated' });
}
if (!hasPermission(req.user.role, permission)) {
return res.status(403).json({ error: 'Insufficient permissions' });
}
next();
};
}
// Usage
app.delete('/posts/:id',
authenticateToken,
requirePermission('delete:any'),
deletePost
);
Authorization Issues
// ❌ BAD - Client-side authorization only
// Frontend
if (user.role === 'admin') {
showAdminPanel();
}
// Backend has no checks - insecure!
// ❌ BAD - Trusting client-provided role
app.post('/admin/users', (req, res) => {
if (req.body.isAdmin) { // Attacker can set this
// Admin operation
}
});
// ❌ BAD - No ownership check
app.delete('/posts/:id', async (req, res) => {
await Post.delete(req.params.id); // Any user can delete any post
});
// ✅ GOOD - Proper ownership check
app.delete('/posts/:id', authenticateToken, async (req, res) => {
const post = await Post.findById(req.params.id);
if (!post) {
return res.status(404).json({ error: 'Post not found' });
}
// Check ownership or admin role
if (post.authorId !== req.user.id && req.user.role !== 'admin') {
return res.status(403).json({ error: 'Not authorized' });
}
await post.delete();
res.json({ success: true });
});
Attribute-Based Access Control (ABAC)
// ✅ GOOD - ABAC implementation
function canAccessResource(user, resource, action) {
const rules = [
// Owner can do anything with their resources
{
match: (u, r, a) => r.ownerId === u.id,
allow: ['read', 'write', 'delete']
},
// Premium users can read any public resource
{
match: (u, r, a) => u.subscription === 'premium' && r.isPublic,
allow: ['read']
},
// Admins can do anything
{
match: (u, r, a) => u.role === 'admin',
allow: ['*']
}
];
for (const rule of rules) {
if (rule.match(user, resource, action)) {
if (rule.allow.includes('*') || rule.allow.includes(action)) {
return true;
}
}
}
return false;
}
// Middleware
function requireAccess(action) {
return async (req, res, next) => {
const resource = await loadResource(req.params.id);
if (!canAccessResource(req.user, resource, action)) {
return res.status(403).json({ error: 'Access denied' });
}
req.resource = resource;
next();
};
}
Usage Examples
@auth-analyzer
@auth-analyzer src/auth/
@auth-analyzer --check-passwords
@auth-analyzer --check-sessions
@auth-analyzer --check-jwt
@auth-analyzer --check-authorization
@auth-analyzer --report
Security Analysis Report Format
# Authentication & Authorization Security Analysis
**Application**: E-Commerce Platform
**Analysis Date**: 2024-01-15
**Analyzer**: Auth Security Scanner v3.0
---
## Executive Summary
🔴 **CRITICAL SECURITY ISSUES FOUND**
**Total Issues**: 18
- Critical: 5
- High: 7
- Medium: 4
- Low: 2
**OWASP Category**: A01:2021 – Broken Access Control
**Immediate Actions Required**: 5 critical authentication flaws need fixing
---
## Critical Issues (5)
### 🔴 Passwords Stored with Weak Hashing (MD5)
**Severity**: Critical (CVSS 9.1)
**CWE**: CWE-916 (Use of Password Hash With Insufficient Computational Effort)
**Location**: src/models/User.js:45
**Vulnerable Code**:
```javascript
// ❌ INSECURE
const crypto = require('crypto');
User.prototype.setPassword = function(password) {
this.password = crypto.createHash('md5').update(password).digest('hex');
};
User.prototype.checkPassword = function(password) {
const hash = crypto.createHash('md5').update(password).digest('hex');
return this.password === hash;
};
Vulnerability:
- MD5 is cryptographically broken
- No salt (rainbow table attacks possible)
- Fast hashing (vulnerable to brute force)
- 100M+ MD5 hashes/second on GPU
Attack Scenario:
1. Attacker gains access to database
2. Downloads password hashes
3. Uses rainbow tables or brute force
4. Cracks passwords in minutes/hours
5. Gains access to user accounts
Impact:
- All user passwords compromised
- Account takeover possible
- Credential stuffing attacks
- Privacy breach
Remediation:
// ✅ SECURE - Use Argon2id
const argon2 = require('argon2');
User.prototype.setPassword = async function(password) {
this.password = await argon2.hash(password, {
type: argon2.argon2id,
memoryCost: 65536, // 64 MiB
timeCost: 3,
parallelism: 4
});
};
User.prototype.checkPassword = async function(password) {
try {
return await argon2.verify(this.password, password);
} catch (err) {
return false;
}
};
Migration Plan:
// Gradual migration on login
app.post('/login', async (req, res) => {
const user = await User.findOne({ email: req.body.email });
// Check old MD5 hash
if (user.password.length === 32) { // MD5 hash length
const md5Hash = crypto.createHash('md5')
.update(req.body.password)
.digest('hex');
if (user.password === md5Hash) {
// Upgrade to Argon2
await user.setPassword(req.body.password);
await user.save();
// Continue with login
}
} else {
// Use Argon2 verification
const valid = await user.checkPassword(req.body.password);
if (!valid) {
return res.status(401).json({ error: 'Invalid credentials' });
}
}
// Login successful
});
Priority: P0 - Fix immediately
🔴 JWT Signature Not Verified
Severity: Critical (CVSS 9.8) CWE: CWE-347 (Improper Verification of Cryptographic Signature)
Location: src/middleware/auth.js:12
Vulnerable Code:
// ❌ CRITICAL VULNERABILITY
function authenticateToken(req, res, next) {
const token = req.headers['authorization']?.split(' ')[1];
if (!token) {
return res.status(401).json({ error: 'No token' });
}
// Decoding without verification!
const payload = JSON.parse(
Buffer.from(token.split('.')[1], 'base64').toString()
);
req.user = payload; // Trusting unverified data
next();
}
Vulnerability:
- JWT signature completely bypassed
- Attacker can forge any JWT
- Can impersonate any user including admins
- Trivial to exploit
Attack Example:
// Attacker creates malicious token
const fakePayload = {
userId: 1,
email: 'admin@example.com',
role: 'admin'
};
const base64Payload = Buffer.from(JSON.stringify(fakePayload)).toString('base64');
const fakeToken = `header.${base64Payload}.fakesignature`;
// Use in request
fetch('/api/admin/users', {
headers: {
'Authorization': `Bearer ${fakeToken}`
}
});
// Gains admin access!
Impact:
- Complete authentication bypass
- Privilege escalation to admin
- Full system compromise
- Data breach
Remediation:
// ✅ SECURE - Proper verification
const jwt = require('jsonwebtoken');
function authenticateToken(req, res, next) {
const authHeader = req.headers['authorization'];
const token = authHeader?.split(' ')[1];
if (!token) {
return res.status(401).json({ error: 'No token provided' });
}
try {
const payload = jwt.verify(token, process.env.JWT_SECRET, {
algorithms: ['HS256'], // Prevent algorithm confusion
issuer: 'example.com',
audience: 'example.com',
maxAge: '15m'
});
req.user = payload;
next();
} catch (error) {
if (error.name === 'TokenExpiredError') {
return res.status(401).json({ error: 'Token expired' });
}
return res.status(403).json({ error: 'Invalid token' });
}
}
Priority: P0 - Fix immediately
🔴 Missing Authorization Checks
Severity: Critical (CVSS 8.8) CWE: CWE-862 (Missing Authorization)
Location: src/routes/users.js:34
Vulnerable Code:
// ❌ CRITICAL - No authorization check
app.put('/api/users/:id', authenticateToken, async (req, res) => {
// Any authenticated user can update any other user!
const user = await User.findByIdAndUpdate(
req.params.id,
req.body,
{ new: true }
);
res.json(user);
});
// ❌ CRITICAL - IDOR vulnerability
app.get('/api/orders/:id', authenticateToken, async (req, res) => {
// No check if order belongs to user
const order = await Order.findById(req.params.id);
res.json(order); // Leaking other users' orders
});
Attack Scenario:
# User 123 accessing user 456's data
curl -X PUT https://api.example.com/api/users/456 \
-H "Authorization: Bearer <user123-token>" \
-d '{"role": "admin"}' # Privilege escalation
# Accessing other users' orders (IDOR)
for i in {1..1000}; do
curl https://api.example.com/api/orders/$i \
-H "Authorization: Bearer <token>"
done
# Harvesting all orders
Impact:
- Horizontal privilege escalation (access other users' data)
- Vertical privilege escalation (become admin)
- Data breach
- Account takeover
Remediation:
// ✅ SECURE - Proper authorization
app.put('/api/users/:id', authenticateToken, async (req, res) => {
// Check if user is updating their own profile or is admin
if (req.params.id !== req.user.id && req.user.role !== 'admin') {
return res.status(403).json({ error: 'Not authorized' });
}
// Prevent privilege escalation
if (req.body.role && req.user.role !== 'admin') {
return res.status(403).json({ error: 'Cannot change role' });
}
const user = await User.findByIdAndUpdate(
req.params.id,
req.body,
{ new: true }
);
res.json(user);
});
app.get('/api/orders/:id', authenticateToken, async (req, res) => {
const order = await Order.findById(req.params.id);
if (!order) {
return res.status(404).json({ error: 'Order not found' });
}
// Authorization check
if (order.userId !== req.user.id && req.user.role !== 'admin') {
return res.status(403).json({ error: 'Not authorized' });
}
res.json(order);
});
Priority: P0 - Fix immediately
🔴 Session Fixation Vulnerability
Severity: Critical (CVSS 8.1) CWE: CWE-384 (Session Fixation)
Location: src/routes/auth.js:23
Vulnerable Code:
// ❌ VULNERABLE - No session regeneration
app.post('/login', async (req, res) => {
const user = await User.findOne({ email: req.body.email });
if (!user || !(await user.checkPassword(req.body.password))) {
return res.status(401).json({ error: 'Invalid credentials' });
}
// Session reused without regeneration
req.session.userId = user.id;
req.session.role = user.role;
res.json({ success: true });
});
Attack Scenario:
1. Attacker obtains session ID (e.g., victim uses public computer)
2. Attacker sends victim link with session ID
3. Victim logs in (session not regenerated)
4. Attacker uses same session ID to access account
Remediation:
// ✅ SECURE - Regenerate session
app.post('/login', async (req, res) => {
const user = await User.findOne({ email: req.body.email });
if (!user || !(await user.checkPassword(req.body.password))) {
return res.status(401).json({ error: 'Invalid credentials' });
}
// Regenerate session after authentication
req.session.regenerate((err) => {
if (err) {
return res.status(500).json({ error: 'Login failed' });
}
req.session.userId = user.id;
req.session.role = user.role;
// Also regenerate on logout
res.json({ success: true });
});
});
app.post('/logout', (req, res) => {
req.session.destroy((err) => {
res.clearCookie('sessionId');
res.json({ success: true });
});
});
Priority: P0 - Fix immediately
🔴 Insecure Password Reset
Severity: Critical (CVSS 8.6) CWE: CWE-640 (Weak Password Recovery Mechanism)
Location: src/routes/auth.js:67
Vulnerable Code:
// ❌ INSECURE - Predictable reset tokens
app.post('/forgot-password', async (req, res) => {
const user = await User.findOne({ email: req.body.email });
if (!user) {
// Account enumeration vulnerability
return res.status(404).json({ error: 'User not found' });
}
// Weak token generation
const resetToken = user.id + Date.now();
user.resetToken = resetToken;
user.resetExpires = Date.now() + 3600000; // 1 hour
await user.save();
// Send email with token
sendEmail(user.email, `Reset link: /reset?token=${resetToken}`);
res.json({ success: true });
});
app.post('/reset-password', async (req, res) => {
const user = await User.findOne({
resetToken: req.body.token,
resetExpires: { $gt: Date.now() }
});
if (!user) {
return res.status(400).json({ error: 'Invalid token' });
}
// No rate limiting, can brute force tokens
user.password = await hashPassword(req.body.password);
user.resetToken = null;
await user.save();
res.json({ success: true });
});
Vulnerabilities:
- Predictable reset token
- Account enumeration
- No rate limiting
- Token not invalidated after use
Remediation:
// ✅ SECURE password reset
const crypto = require('crypto');
app.post('/forgot-password', rateLimiter, async (req, res) => {
const user = await User.findOne({ email: req.body.email });
// Always return same response (prevent enumeration)
const response = { success: true, message: 'If account exists, reset email sent' };
if (!user) {
// Still delay response to prevent timing attacks
await new Promise(resolve => setTimeout(resolve, 500));
return res.json(response);
}
// Generate cryptographically secure token
const resetToken = crypto.randomBytes(32).toString('hex');
const hashedToken = crypto.createHash('sha256')
.update(resetToken)
.digest('hex');
user.resetToken = hashedToken;
user.resetExpires = Date.now() + 900000; // 15 minutes (shorter)
await user.save();
// Send email (use token once in URL)
const resetURL = `https://example.com/reset?token=${resetToken}`;
await sendEmail(user.email, `Reset link (expires in 15min): ${resetURL}`);
res.json(response);
});
const resetLimiter = rateLimit({
windowMs: 15 * 60 * 1000,
max: 5, // Max 5 attempts per 15 minutes
message: 'Too many reset attempts'
});
app.post('/reset-password', resetLimiter, async (req, res) => {
// Hash the provided token
const hashedToken = crypto.createHash('sha256')
.update(req.body.token)
.digest('hex');
const user = await User.findOne({
resetToken: hashedToken,
resetExpires: { $gt: Date.now() }
});
if (!user) {
return res.status(400).json({ error: 'Invalid or expired token' });
}
// Validate password strength
if (!isStrongPassword(req.body.password)) {
return res.status(400).json({ error: 'Password too weak' });
}
user.password = await hashPassword(req.body.password);
user.resetToken = null;
user.resetExpires = null;
await user.save();
// Invalidate all sessions
await Session.deleteMany({ userId: user.id });
// Notify user of password change
await sendEmail(user.email, 'Your password was changed');
res.json({ success: true });
});
Priority: P0 - Fix immediately
High Severity Issues (7)
🟠 No Rate Limiting on Authentication
Severity: High (CVSS 7.5) CWE: CWE-307 (Improper Restriction of Excessive Authentication Attempts)
Location: src/routes/auth.js
Issue: Login endpoint has no rate limiting
Attack:
# Brute force attack
for password in $(cat passwords.txt); do
curl -X POST https://example.com/api/login \
-d "email=admin@example.com&password=$password"
done
Remediation:
const rateLimit = require('express-rate-limit');
const loginLimiter = rateLimit({
windowMs: 15 * 60 * 1000, // 15 minutes
max: 5, // 5 attempts per window
skipSuccessfulRequests: true,
message: 'Too many login attempts, please try again later',
standardHeaders: true,
legacyHeaders: false,
// Custom key generator (by IP and email)
keyGenerator: (req) => {
return `${req.ip}-${req.body.email}`;
}
});
app.post('/login', loginLimiter, async (req, res) => {
// Login logic
});
// Account lockout after failures
let loginAttempts = {};
app.post('/login', async (req, res) => {
const key = req.body.email;
const attempts = loginAttempts[key] || 0;
if (attempts >= 5) {
const lockoutTime = 15 * 60 * 1000; // 15 minutes
return res.status(429).json({
error: 'Account temporarily locked due to multiple failed attempts'
});
}
const user = await User.findOne({ email: req.body.email });
const valid = user && await user.checkPassword(req.body.password);
if (!valid) {
loginAttempts[key] = attempts + 1;
setTimeout(() => {
delete loginAttempts[key];
}, 15 * 60 * 1000);
return res.status(401).json({ error: 'Invalid credentials' });
}
// Success - reset attempts
delete loginAttempts[key];
// Continue with login
});
Priority: P1 - Fix within 24 hours
🟠 Weak Password Policy
Severity: High
Current: No password requirements
Remediation:
const passwordValidator = require('password-validator');
const schema = new passwordValidator();
schema
.is().min(12) // Minimum length 12
.is().max(128) // Maximum length 128
.has().uppercase() // Must have uppercase
.has().lowercase() // Must have lowercase
.has().digits(1) // Must have digit
.has().symbols(1) // Must have symbol
.has().not().spaces() // No spaces
.is().not().oneOf(['Password123!', 'Admin123!']); // Blacklist
function validatePassword(password) {
return schema.validate(password, { details: true });
}
// Check against breached passwords
const pwnedpasswords = require('pwnedpasswords');
async function isPasswordPwned(password) {
const count = await pwnedpasswords(password);
return count > 0;
}
Medium Severity Issues (4)
🟡 JWT Secret in Code
Severity: Medium Location: src/config/jwt.js:5
Issue:
// ❌ Hardcoded secret
const JWT_SECRET = 'my-jwt-secret-key';
Remediation:
// ✅ Environment variable
const JWT_SECRET = process.env.JWT_SECRET;
if (!JWT_SECRET || JWT_SECRET.length < 32) {
throw new Error('JWT_SECRET must be set and at least 32 characters');
}
Best Practices Violations
Authentication
- ❌ No multi-factor authentication (MFA)
- ❌ No password strength meter
- ❌ No breach detection (haveibeenpwned)
- ❌ Sessions don't expire on password change
- ❌ No concurrent session limits
Authorization
- ❌ Role checks in frontend only
- ❌ No audit logging of privilege changes
- ❌ Overly broad permissions
- ❌ No principle of least privilege
Recommendations
Immediate (Critical)
- Migrate passwords to Argon2id hashing
- Fix JWT verification
- Add authorization checks to all endpoints
- Regenerate sessions on login
- Secure password reset flow
Short-term (High)
- Implement rate limiting
- Add password strength requirements
- Add account lockout mechanism
- Implement MFA
- Add audit logging
Long-term (Medium)
- Regular security audits
- Penetration testing
- Security training for developers
- Implement security headers
- Add intrusion detection
Compliance Status
OWASP Top 10
- ❌ A01:2021 - Broken Access Control (Multiple issues)
- ⚠️ A02:2021 - Cryptographic Failures (Weak hashing)
- ❌ A07:2021 - Identification and Authentication Failures
NIST Guidelines
- ❌ SP 800-63B (Authentication)
- Password strength ❌
- MFA ❌
- Rate limiting ❌
PCI-DSS
- ❌ Requirement 8.2.3 - Strong passwords
- ❌ Requirement 8.2.4 - Password changes
- ❌ Requirement 8.2.5 - Unique passwords
Summary
Overall Security Grade: F
Critical Issues: 5 (Must fix immediately) Estimated Remediation Time: 2-3 weeks Risk Level: CRITICAL
Top Priority: Fix password hashing and JWT verification immediately.
## Notes
- Never trust client-provided authentication/authorization data
- Always verify JWT signatures
- Regenerate sessions after privilege changes
- Implement defense in depth
- Log authentication and authorization events
- Regular security audits recommended
- Test authorization with different user roles
- Use established libraries (don't roll your own crypto)
- Implement least privilege principle
- Monitor for suspicious authentication patterns