Claude-code-plugins-plus-skills validating-authentication-implementations
Validate authentication mechanisms for security weaknesses and compliance. Use when reviewing login systems or auth flows. Trigger with 'validate authentication', 'check auth security', or 'review login'.
install
source · Clone the upstream repo
git clone https://github.com/jeremylongshore/claude-code-plugins-plus-skills
Claude Code · Install into ~/.claude/skills/
T=$(mktemp -d) && git clone --depth=1 https://github.com/jeremylongshore/claude-code-plugins-plus-skills "$T" && mkdir -p ~/.claude/skills && cp -r "$T/plugins/security/authentication-validator/skills/validating-authentication-implementations" ~/.claude/skills/jeremylongshore-claude-code-plugins-plus-skills-validating-authentication-implem-837df4 && rm -rf "$T"
manifest:
plugins/security/authentication-validator/skills/validating-authentication-implementations/SKILL.mdsource content
Validating Authentication Implementations
Overview
Validate authentication mechanisms across web applications, APIs, and backend services for security weaknesses, compliance gaps, and implementation flaws. This skill examines password hashing, JWT token handling, session management, OAuth flows, MFA implementation, and account security controls against OWASP and NIST standards.
Prerequisites
- Access to the target codebase and configuration files in
${CLAUDE_SKILL_DIR}/ - Familiarity with the authentication framework in use (Passport.js, Spring Security, Django Auth, NextAuth, etc.)
- Standard shell utilities and Grep/Glob available for codebase scanning
- Reference:
for OWASP authentication cheat sheet, NIST password guidelines, and JWT RFC specifications${CLAUDE_SKILL_DIR}/references/README.md
Instructions
- Identify all authentication entry points by scanning for login routes, token endpoints, session initialization, and OAuth callback handlers using Grep across route definitions and controller files.
- Examine password storage by locating hashing function calls -- verify use of bcrypt, scrypt, or Argon2id with appropriate cost factors. Flag any use of MD5, SHA-1, SHA-256 without key stretching, or plaintext storage as CWE-916 (Use of Password Hash With Insufficient Computational Effort).
- Validate JWT implementations: check signing algorithms (reject
, flag HS256 with weak secrets), verifynone
,exp
,iat
, andaud
claims are validated, confirm tokens are not stored in localStorage (XSS exposure), and check for proper refresh token rotation.iss - Assess session management: verify session IDs are regenerated after authentication, sessions have appropriate timeouts (idle and absolute), cookies use
,HttpOnly
, andSecure
orSameSite=Strict
attributes, and session fixation protections are in place.SameSite=Lax - Review OAuth/OIDC flows: confirm
parameter usage for CSRF protection, validate redirect URI whitelisting, check PKCE implementation for public clients, and verify token storage security.state - Evaluate MFA implementation: confirm MFA is available for privileged accounts, check TOTP secret storage encryption, verify backup code generation uses cryptographically secure randomness, and flag any MFA bypass paths.
- Check account security controls: verify rate limiting on login endpoints, account lockout policies after failed attempts, secure password reset flows (time-limited tokens, no user enumeration), and brute-force protections.
- Validate credential transmission: confirm all auth endpoints enforce HTTPS, passwords are never logged or included in URLs, and API keys use secure header transmission rather than query parameters.
- Classify each finding by severity and map to CWE identifiers and OWASP ASVS requirements.
- Produce a remediation plan with specific code changes for each finding.
Output
- Authentication inventory: List of all auth mechanisms, endpoints, and flows in the codebase
- Findings report: Each finding includes severity, CWE reference (e.g., CWE-287 Improper Authentication, CWE-384 Session Fixation, CWE-916 Weak Password Hash), affected file/line, and remediation steps
- OWASP ASVS compliance matrix: Pass/fail status for ASVS V2 (Authentication) and V3 (Session Management) requirements
- Token security analysis: JWT algorithm, claim validation status, storage mechanism, and expiration policy
- Executive summary: Risk rating, total findings by severity, and top priority fixes
Error Handling
| Error | Cause | Solution |
|---|---|---|
| No authentication code found | Incorrect scan scope or unconventional auth patterns | Broaden Grep patterns; check for third-party auth services (Auth0, Firebase Auth, Cognito) configured externally |
| Cannot determine hashing algorithm | Hashing abstracted behind framework | Inspect framework configuration files (e.g., |
| JWT library version unknown | Dynamic dependency resolution | Check lock files ( |
| Session config not in codebase | Session management handled by infrastructure | Check reverse proxy configs (nginx, Apache), cloud session stores (Redis, DynamoDB), or PaaS settings |
| Rate limiting not detectable | Rate limiting at infrastructure layer | Note as "unverifiable from codebase" and recommend confirming at the infrastructure level |
Examples
JWT Implementation Review
Scan
${CLAUDE_SKILL_DIR}/src/auth/${CLAUDE_SKILL_DIR}/src/middleware/jwt.sign()algorithm: 'none'HS256jwt.verify()expaudissPassword Storage Audit
Grep for
bcryptargon2scrypthashSyncpbkdf2crypto.createHash('md5')hashlib.sha256()crypto.randomBytes()Session Cookie Hardening
Locate session configuration in
${CLAUDE_SKILL_DIR}/config/httpOnly: truesecure: truesameSite: 'strict'maxAgehttpOnly