OpenSkillIndex← back to search
claude-codesecurity

Claude-skill-registry auth-security-validator

Autonomous validation of authentication security. Checks password hashing, cookie configuration, CSRF protection, and session management for OWASP compliance.

install
source · Clone the upstream repo
git clone https://github.com/majiayu000/claude-skill-registry
Claude Code · Install into ~/.claude/skills/
T=$(mktemp -d) && git clone --depth=1 https://github.com/majiayu000/claude-skill-registry "$T" && mkdir -p ~/.claude/skills && cp -r "$T/skills/data/auth-security-validator" ~/.claude/skills/majiayu000-claude-skill-registry-auth-security-validator && rm -rf "$T"
manifest: skills/data/auth-security-validator/SKILL.md
tags
#security#authentication#owasp#compliance#validation
source content

Auth Security Validator SKILL

Activation Patterns

This SKILL automatically activates when:

  • Files matching 
    **/auth/**
    are created/modified
  • Session configuration files modified (app.config.ts, auth.ts)
  • Password hashing code changes
  • Cookie configuration changes
  • Before deployment operations

Validation Rules

P1 - Critical (Block Operations)

Password Hashing:

  • ✅ Uses Argon2id (
    @node-rs/argon2
    )
  • ❌ NOT using: bcrypt, MD5, SHA-256, plain text
  • ✅ Memory cost ≥ 19456 KB
  • ✅ Time cost ≥ 2 iterations

Cookie Security:

  • secure: true
    (HTTPS-only)
  • httpOnly: true
    (XSS prevention)
  • sameSite: 'lax'
    or 
    'strict'
    (CSRF mitigation)

Session Configuration:

  • ✅ Session password/secret ≥ 32 characters
  • ✅ Max age configured (not infinite)

P2 - Important (Warn)

CSRF Protection:

  • ⚠️ CSRF protection enabled (automatic in better-auth)
  • ⚠️ No custom form handlers bypassing CSRF

Rate Limiting:

  • ⚠️ Rate limiting on login endpoint
  • ⚠️ Rate limiting on register endpoint
  • ⚠️ Rate limiting on password reset

Input Validation:

  • ⚠️ Email format validation
  • ⚠️ Password minimum length (8+ characters)
  • ⚠️ Input sanitization

P3 - Suggestions (Inform)

  • ℹ️ Session rotation on privilege escalation
  • ℹ️ 2FA/MFA support
  • ℹ️ Account lockout after failed attempts
  • ℹ️ Password complexity requirements
  • ℹ️ OAuth state parameter validation

Validation Output

🔒 Authentication Security Validation

✅ P1 Checks (Critical):
   ✅ Password hashing: Argon2id with correct params
   ✅ Cookies: secure, httpOnly, sameSite configured
   ✅ Session secret: 32+ characters

⚠️ P2 Checks (Important):
   ⚠️ No rate limiting on login endpoint
   ✅ Input validation present
   ✅ CSRF protection enabled

ℹ️ P3 Suggestions:
   ℹ️ Consider adding session rotation
   ℹ️ Consider 2FA for sensitive operations

📋 Summary: 1 warning found
💡 Run /es-auth-setup to fix issues

Security Patterns Detected

Good Patterns ✅:

// Argon2id with correct params
const hash = await argon2.hash(password, {
  memoryCost: 19456,
  timeCost: 2,
  outputLen: 32,
  parallelism: 1
});

// Secure cookie config
cookie: {
  secure: true,
  httpOnly: true,
  sameSite: 'lax'
}

Bad Patterns ❌:

// Weak hashing
const hash = crypto.createHash('sha256').update(password).digest('hex'); // ❌

// Insecure cookies
cookie: {
  secure: false, // ❌
  httpOnly: false // ❌
}

// Weak session secret
password: '12345' // ❌ Too short

Escalation

Complex scenarios escalate to 

better-auth-specialist
agent:

  • Custom authentication flows
  • Advanced OAuth configuration
  • Passkey implementation
  • Multi-factor authentication setup
  • Security audit requirements

Notes

  • Runs automatically on auth-related file changes
  • Can block deployments with P1 security issues
  • Follows OWASP Top 10 guidelines
  • Integrates with 
    /validate
    and 
    /es-deploy
    commands
  • Queries better-auth MCP for provider security requirements