npx claudepluginhub jeremylongshore/claude-code-plugins-plus-skills --plugin authentication-validatorWant just this skill?
Then install: npx claudepluginhub u/[userId]/[slug]
Validate authentication mechanisms for security weaknesses and compliance. Use when reviewing login systems or auth flows. Trigger with 'validate authentication', 'check auth security', or 'review login'.
This skill is limited to using the following tools:
assets/README.mdreferences/README.mdscripts/README.mdscripts/authentication_check.pyscripts/jwt_analyzer.pyscripts/password_policy_check.pyValidating Authentication Implementations
Overview
Validate authentication mechanisms across web applications, APIs, and backend services for security weaknesses, compliance gaps, and implementation flaws. This skill examines password hashing, JWT token handling, session management, OAuth flows, MFA implementation, and account security controls against OWASP and NIST standards.
Prerequisites
- Access to the target codebase and configuration files in
${CLAUDE_SKILL_DIR}/ - Familiarity with the authentication framework in use (Passport.js, Spring Security, Django Auth, NextAuth, etc.)
- Standard shell utilities and Grep/Glob available for codebase scanning
- Reference:
${CLAUDE_SKILL_DIR}/references/README.mdfor OWASP authentication cheat sheet, NIST password guidelines, and JWT RFC specifications
Instructions
- Identify all authentication entry points by scanning for login routes, token endpoints, session initialization, and OAuth callback handlers using Grep across route definitions and controller files.
- Examine password storage by locating hashing function calls -- verify use of bcrypt, scrypt, or Argon2id with appropriate cost factors. Flag any use of MD5, SHA-1, SHA-256 without key stretching, or plaintext storage as CWE-916 (Use of Password Hash With Insufficient Computational Effort).
- Validate JWT implementations: check signing algorithms (reject
none, flag HS256 with weak secrets), verifyexp,iat,aud, andissclaims are validated, confirm tokens are not stored in localStorage (XSS exposure), and check for proper refresh token rotation. - Assess session management: verify session IDs are regenerated after authentication, sessions have appropriate timeouts (idle and absolute), cookies use
HttpOnly,Secure, andSameSite=StrictorSameSite=Laxattributes, and session fixation protections are in place. - Review OAuth/OIDC flows: confirm
stateparameter usage for CSRF protection, validate redirect URI whitelisting, check PKCE implementation for public clients, and verify token storage security. - Evaluate MFA implementation: confirm MFA is available for privileged accounts, check TOTP secret storage encryption, verify backup code generation uses cryptographically secure randomness, and flag any MFA bypass paths.
- Check account security controls: verify rate limiting on login endpoints, account lockout policies after failed attempts, secure password reset flows (time-limited tokens, no user enumeration), and brute-force protections.
- Validate credential transmission: confirm all auth endpoints enforce HTTPS, passwords are never logged or included in URLs, and API keys use secure header transmission rather than query parameters.
- Classify each finding by severity and map to CWE identifiers and OWASP ASVS requirements.
- Produce a remediation plan with specific code changes for each finding.
Output
- Authentication inventory: List of all auth mechanisms, endpoints, and flows in the codebase
- Findings report: Each finding includes severity, CWE reference (e.g., CWE-287 Improper Authentication, CWE-384 Session Fixation, CWE-916 Weak Password Hash), affected file/line, and remediation steps
- OWASP ASVS compliance matrix: Pass/fail status for ASVS V2 (Authentication) and V3 (Session Management) requirements
- Token security analysis: JWT algorithm, claim validation status, storage mechanism, and expiration policy
- Executive summary: Risk rating, total findings by severity, and top priority fixes
Error Handling
| Error | Cause | Solution |
|---|---|---|
| No authentication code found | Incorrect scan scope or unconventional auth patterns | Broaden Grep patterns; check for third-party auth services (Auth0, Firebase Auth, Cognito) configured externally |
| Cannot determine hashing algorithm | Hashing abstracted behind framework | Inspect framework configuration files (e.g., config/auth.php, settings.py) for algorithm settings |
| JWT library version unknown | Dynamic dependency resolution | Check lock files (package-lock.json, poetry.lock) for pinned versions and cross-reference known vulnerabilities |
| Session config not in codebase | Session management handled by infrastructure | Check reverse proxy configs (nginx, Apache), cloud session stores (Redis, DynamoDB), or PaaS settings |
| Rate limiting not detectable | Rate limiting at infrastructure layer | Note as "unverifiable from codebase" and recommend confirming at the infrastructure level |
Examples
JWT Implementation Review
Scan ${CLAUDE_SKILL_DIR}/src/auth/ and ${CLAUDE_SKILL_DIR}/src/middleware/ for JWT signing and
verification logic. Flag any use of jwt.sign() with algorithm: 'none' or
HS256 paired with a secret shorter than 256 bits as CWE-327 (Use of Broken
Crypto Algorithm), severity critical. Verify that jwt.verify() validates
exp, aud, and iss claims.
Password Storage Audit
Grep for bcrypt, argon2, scrypt, hashSync, pbkdf2 across the
codebase. If password hashing uses crypto.createHash('md5') or
hashlib.sha256() without PBKDF2 wrapping, flag as CWE-916, severity critical.
Verify salt generation uses crypto.randomBytes() or equivalent CSPRNG.
Session Cookie Hardening
Locate session configuration in ${CLAUDE_SKILL_DIR}/config/ or middleware setup files.
Verify cookie attributes include httpOnly: true, secure: true,
sameSite: 'strict', and maxAge under 24 hours. Flag missing httpOnly as
CWE-1004 (Sensitive Cookie Without HttpOnly), severity high.