Audits authentication in web apps/APIs: password hashing, JWT handling, sessions, OAuth flows, MFA, and account controls against OWASP/NIST standards.
npx claudepluginhub jeremylongshore/claude-code-plugins-plus-skills --plugin authentication-validatorThis skill is limited to using the following tools:
Validate authentication mechanisms across web applications, APIs, and backend
Audits and hardens authentication code against security best practices. Covers credential storage, error handling, sessions, input validation, OAuth/OIDC, MFA/passkeys, rate limiting, CSRF, and HTTP headers.
Detects OAuth2, JWT, RBAC/ABAC, session management, and MFA patterns in codebases. Evaluates auth security against OWASP guidelines and recommends improvements for tokens, permissions, and MFA. Useful for auth flow audits and PR reviews.
Analyzes auth mechanisms (passwords/sessions/JWT/OAuth/MFA) and authz patterns (RBAC/ABAC/ACL) for vulnerabilities like bypasses, hijacking, broken access control; reports with OWASP/NIST remediation.
Share bugs, ideas, or general feedback.
Validate authentication mechanisms across web applications, APIs, and backend services for security weaknesses, compliance gaps, and implementation flaws. This skill examines password hashing, JWT token handling, session management, OAuth flows, MFA implementation, and account security controls against OWASP and NIST standards.
${CLAUDE_SKILL_DIR}/${CLAUDE_SKILL_DIR}/references/README.md for OWASP authentication cheat sheet, NIST password guidelines, and JWT RFC specificationsnone, flag HS256 with weak secrets), verify exp, iat, aud, and iss claims are validated, confirm tokens are not stored in localStorage (XSS exposure), and check for proper refresh token rotation.HttpOnly, Secure, and SameSite=Strict or SameSite=Lax attributes, and session fixation protections are in place.state parameter usage for CSRF protection, validate redirect URI whitelisting, check PKCE implementation for public clients, and verify token storage security.| Error | Cause | Solution |
|---|---|---|
| No authentication code found | Incorrect scan scope or unconventional auth patterns | Broaden Grep patterns; check for third-party auth services (Auth0, Firebase Auth, Cognito) configured externally |
| Cannot determine hashing algorithm | Hashing abstracted behind framework | Inspect framework configuration files (e.g., config/auth.php, settings.py) for algorithm settings |
| JWT library version unknown | Dynamic dependency resolution | Check lock files (package-lock.json, poetry.lock) for pinned versions and cross-reference known vulnerabilities |
| Session config not in codebase | Session management handled by infrastructure | Check reverse proxy configs (nginx, Apache), cloud session stores (Redis, DynamoDB), or PaaS settings |
| Rate limiting not detectable | Rate limiting at infrastructure layer | Note as "unverifiable from codebase" and recommend confirming at the infrastructure level |
Scan ${CLAUDE_SKILL_DIR}/src/auth/ and ${CLAUDE_SKILL_DIR}/src/middleware/ for JWT signing and
verification logic. Flag any use of jwt.sign() with algorithm: 'none' or
HS256 paired with a secret shorter than 256 bits as CWE-327 (Use of Broken
Crypto Algorithm), severity critical. Verify that jwt.verify() validates
exp, aud, and iss claims.
Grep for bcrypt, argon2, scrypt, hashSync, pbkdf2 across the
codebase. If password hashing uses crypto.createHash('md5') or
hashlib.sha256() without PBKDF2 wrapping, flag as CWE-916, severity critical.
Verify salt generation uses crypto.randomBytes() or equivalent CSPRNG.
Locate session configuration in ${CLAUDE_SKILL_DIR}/config/ or middleware setup files.
Verify cookie attributes include httpOnly: true, secure: true,
sameSite: 'strict', and maxAge under 24 hours. Flag missing httpOnly as
CWE-1004 (Sensitive Cookie Without HttpOnly), severity high.