Auth Audit Skill

Overview

Comprehensive audit of authentication and authorization implementations.

Audit Categories

Category Checks

JWT Signing algo, expiration, refresh, storage

Sessions Storage, expiry, regeneration, fixation

OAuth2 PKCE, state param, redirect validation

Passwords Hashing algo, strength rules, reset flow

MFA Implementation, backup codes, recovery

Workflow

• Detect auth implementation (JWT, sessions, OAuth)

• Scan for known anti-patterns

• Verify cryptographic choices

• Check token/session lifecycle

• Audit authorization logic (RBAC, ABAC)

Common Vulnerabilities

• JWT signed with none algorithm

• JWT secret too short (< 256 bits)

• No token expiration or too long

• Refresh tokens stored in localStorage

• Session fixation after login

• Missing CSRF protection

• OAuth without PKCE for public clients

• Missing state parameter in OAuth flow

References

• Auth Patterns

• Auth Checklist