auth-review
Installation
SKILL.md
When reviewing authentication and authorization code, check for:
- Credential handling — passwords hashed with strong algorithms (bcrypt, argon2), no plaintext storage, no logging of secrets
- Token security — proper expiration, secure generation (crypto-random), safe storage (httpOnly cookies, not localStorage for sensitive tokens)
- Session management — session fixation prevention, proper invalidation on logout, idle timeouts
- Access control — authorization checks on every protected endpoint, no reliance on client-side checks alone, principle of least privilege
- OAuth/OIDC flows — state parameter for CSRF protection, PKCE for public clients, proper redirect URI validation
- Input validation — protection against injection in auth queries, rate limiting on login endpoints, account lockout policies
- Error handling — generic error messages (no user enumeration), consistent timing to prevent timing attacks
Related skills
More from himself65/auth-spec
security-best-practice
Audit and harden authentication code for security best practices. Use when the user wants to check their auth implementation for vulnerabilities, harden session handling, fix credential storage, validate OAuth/OIDC flows, add MFA/passkeys, or apply OWASP-recommended security patterns.
14create-auth
Scaffold signin and signup authentication endpoints for a project. Use when the user wants to add authentication, create login/register flows, or set up auth from scratch.
13add-test-case
Add a new conformance test case to auth-testing-library. Use when adding a new test for auth endpoints (sign-up, sign-in, session, sign-out).
4