Claude Code Plugins

Community-maintained marketplace

Feedback

auth-security-validator

@hirefrank/hirefrank-marketplace
2
0

Autonomous validation of authentication security. Checks password hashing, cookie configuration, CSRF protection, and session management for OWASP compliance.

Install Skill

1Download skill
2Enable skills in Claude

Open claude.ai/settings/capabilities and find the "Skills" section

3Upload to Claude

Click "Upload skill" and select the downloaded ZIP file

Note: Please verify skill by going through its instructions before using it.

SKILL.md

name auth-security-validator
description Autonomous validation of authentication security. Checks password hashing, cookie configuration, CSRF protection, and session management for OWASP compliance.
triggers auth file changes, session config changes, security-related modifications, pre-deployment

Auth Security Validator SKILL

Activation Patterns

This SKILL automatically activates when:

  • Files matching **/auth/** are created/modified
  • Session configuration files modified (app.config.ts, auth.ts)
  • Password hashing code changes
  • Cookie configuration changes
  • Before deployment operations

Validation Rules

P1 - Critical (Block Operations)

Password Hashing:

  • ✅ Uses Argon2id (@node-rs/argon2)
  • ❌ NOT using: bcrypt, MD5, SHA-256, plain text
  • ✅ Memory cost ≥ 19456 KB
  • ✅ Time cost ≥ 2 iterations

Cookie Security:

  • secure: true (HTTPS-only)
  • httpOnly: true (XSS prevention)
  • sameSite: 'lax' or 'strict' (CSRF mitigation)

Session Configuration:

  • ✅ Session password/secret ≥ 32 characters
  • ✅ Max age configured (not infinite)

P2 - Important (Warn)

CSRF Protection:

  • ⚠️ CSRF protection enabled (automatic in better-auth)
  • ⚠️ No custom form handlers bypassing CSRF

Rate Limiting:

  • ⚠️ Rate limiting on login endpoint
  • ⚠️ Rate limiting on register endpoint
  • ⚠️ Rate limiting on password reset

Input Validation:

  • ⚠️ Email format validation
  • ⚠️ Password minimum length (8+ characters)
  • ⚠️ Input sanitization

P3 - Suggestions (Inform)

  • ℹ️ Session rotation on privilege escalation
  • ℹ️ 2FA/MFA support
  • ℹ️ Account lockout after failed attempts
  • ℹ️ Password complexity requirements
  • ℹ️ OAuth state parameter validation

Validation Output

🔒 Authentication Security Validation

✅ P1 Checks (Critical):
   ✅ Password hashing: Argon2id with correct params
   ✅ Cookies: secure, httpOnly, sameSite configured
   ✅ Session secret: 32+ characters

⚠️ P2 Checks (Important):
   ⚠️ No rate limiting on login endpoint
   ✅ Input validation present
   ✅ CSRF protection enabled

ℹ️ P3 Suggestions:
   ℹ️ Consider adding session rotation
   ℹ️ Consider 2FA for sensitive operations

📋 Summary: 1 warning found
💡 Run /es-auth-setup to fix issues

Security Patterns Detected

Good Patterns ✅:

// Argon2id with correct params
const hash = await argon2.hash(password, {
  memoryCost: 19456,
  timeCost: 2,
  outputLen: 32,
  parallelism: 1
});

// Secure cookie config
cookie: {
  secure: true,
  httpOnly: true,
  sameSite: 'lax'
}

Bad Patterns ❌:

// Weak hashing
const hash = crypto.createHash('sha256').update(password).digest('hex'); // ❌

// Insecure cookies
cookie: {
  secure: false, // ❌
  httpOnly: false // ❌
}

// Weak session secret
password: '12345' // ❌ Too short

Escalation

Complex scenarios escalate to better-auth-specialist agent:

  • Custom authentication flows
  • Advanced OAuth configuration
  • Passkey implementation
  • Multi-factor authentication setup
  • Security audit requirements

Notes

  • Runs automatically on auth-related file changes
  • Can block deployments with P1 security issues
  • Follows OWASP Top 10 guidelines
  • Integrates with /validate and /es-deploy commands
  • Queries better-auth MCP for provider security requirements