auth-flow-operator
Compare original and translation side by side
🇺🇸
Original
English🇨🇳
Translation
ChineseAuth Flow Operator
Auth Flow Operator
Purpose
用途
Securely obtain reliable authenticated context for downstream security testing.
安全获取可靠的已认证上下文,供下游安全测试使用。
Inputs
输入参数
target_url- (optional)
known_credentials - (MFA, email verification, SSO, CAPTCHA)
auth_notes - policy
allowed_test_accounts
target_url- (可选)
known_credentials - (MFA、邮箱验证、SSO、CAPTCHA)
auth_notes - 策略
allowed_test_accounts
Workflow
工作流程
Phase 1: Route Discovery
阶段1:路由发现
- Identify login, registration, password reset, token refresh, logout paths.
- Determine auth mode: local creds, SSO, OTP, magic link, API token.
- 识别登录、注册、密码重置、令牌刷新、登出路径。
- 确定认证模式:本地凭证、SSO、OTP、魔术链接、API令牌。
Phase 2: Login Path
阶段2:登录路径
- Attempt known credentials in defined order.
- Validate success via authenticated-only action, not UI guess.
- Record session artifacts and expiry behavior.
- 按定义的顺序尝试已知凭证。
- 通过仅认证后可执行的操作验证登录成功,而非依赖UI猜测。
- 记录会话工件和过期行为。
Phase 3: Registration Path
阶段3:注册路径
- Create dedicated test accounts when permitted.
- Capture verification dependencies.
- Validate role assignment and default permissions.
- 允许的情况下创建专用测试账户。
- 捕获验证依赖项。
- 验证角色分配和默认权限。
Phase 4: Session Lifecycle
阶段4:会话生命周期
- Test logout invalidation.
- Test token/cookie rotation after privilege change.
- Test concurrent session behavior.
- 测试登出失效逻辑。
- 测试权限变更后的令牌/cookie轮换逻辑。
- 测试并发会话行为。
Phase 5: Access Validation
阶段5:访问验证
- Confirm protected route gating.
- Confirm role-sensitive feature differences.
- Confirm cross-account isolation.
- 确认受保护路由的访问控制生效。
- 确认角色敏感的功能差异符合预期。
- 确认跨账户隔离性。
Anti-Patterns
反模式
- Assuming logged-in state from UI text only.
- Reusing stale tokens without validation.
- Mixing account identities in one evidence stream.
- 仅通过UI文本判断已登录状态。
- 未经验证就复用过期令牌。
- 在同一证据流中混用多个账户身份。
Output Contract
输出契约
json
{
"working_auth_paths": [],
"accounts": [],
"session_lifecycle": [],
"role_validation": [],
"blockers": []
}json
{
"working_auth_paths": [],
"accounts": [],
"session_lifecycle": [],
"role_validation": [],
"blockers": []
}Constraints
约束条件
- No brute force.
- Respect account-creation and cleanup rules.
- Keep PII and credentials minimized in logs.
- 禁止暴力破解。
- 遵守账户创建和清理规则。
- 尽量减少日志中的PII(个人可识别信息)和凭证内容。
Quality Checklist
质量检查清单
- At least one stable auth path established.
- Session behavior tested, not inferred.
- Role boundaries verified with action-level checks.
- 至少建立一条稳定的认证路径。
- 会话行为经过实际测试,而非推断。
- 角色边界通过操作级别的检查验证。
Detailed Operator Notes
详细操作说明
Session Validation Tests
会话验证测试
- Confirm authenticated access after login and after token refresh.
- Confirm logout invalidates prior session tokens/cookies.
- Confirm password reset invalidates old sessions when expected.
- 确认登录后和令牌刷新后的认证访问正常。
- 确认登出后之前的会话令牌/cookie失效。
- 确认密码重置后旧会话按预期失效。
Role Validation Tests
角色验证测试
- Confirm role-specific UI and API behavior differ as expected.
- Confirm privilege elevation requires server-side enforcement.
- Confirm role claims in token align with backend checks.
- 确认角色对应的UI和API行为符合预期差异。
- 确认权限提升需要服务端强制校验。
- 确认令牌中的角色声明与后端检查结果一致。
Common Failure Patterns
常见失败模式
- Partial login success where UI changes but API remains unauthenticated.
- Mixed identity state from stale cookies and new tokens.
- Registration defaults granting broader permissions than intended.
- 部分登录成功:UI发生变化但API仍未认证。
- 过期cookie和新令牌混用导致身份状态混乱。
- 注册默认授予的权限超出预期范围。
Reporting Rules
报告规则
- Keep one identity timeline per account.
- Record account origin (or
provided) and intended role.created - Record exact blocker cause when auth setup fails.
- 每个账户单独维护一条身份时间线。
- 记录账户来源(或
provided)和预期角色。created - 认证设置失败时记录准确的阻塞原因。
Quick Scenarios
快速场景
Scenario A: Authorization Drift
场景A:权限漂移
- Baseline with owned resource.
- Replay with foreign resource identifier.
- Repeat with role shift and fresh session.
- Confirm read/write/delete differences.
- 基于自有资源建立基线。
- 用外部资源标识符重放请求。
- 切换角色并使用新会话重复测试。
- 确认读/写/删除操作的权限差异。
Scenario B: Input Handling Weakness
场景B:输入处理漏洞
- Send syntactically valid control payload.
- Send semantically malicious variant.
- Verify parser or execution side effect.
- Re-test with content-type variation.
- 发送语法合法的控制payload。
- 发送语义恶意的变体。
- 验证解析器或执行的副作用。
- 切换content-type重新测试。
Scenario C: Workflow Bypass
场景C:工作流绕过
- Execute expected state sequence.
- Attempt out-of-order transition.
- Attempt repeated action replay.
- Confirm server-side state enforcement.
- 按预期执行状态序列。
- 尝试乱序状态转换。
- 尝试重复重放操作。
- 确认服务端状态强制校验生效。
Conditional Decision Matrix
条件决策矩阵
| Condition | Action | Evidence Requirement |
|---|---|---|
| Credentials succeed in UI but fail in API | validate token audience/session binding | endpoint-level auth proof |
| Registration requires email verification | capture verification state transitions | account timeline with states |
| MFA optional for some flows | compare protected action access with/without MFA | role/action differential |
| Logout appears successful but token works | test token reuse after logout/reset | post-logout replay proof |
| Role appears in UI only | validate backend authorization with privileged actions | server-side denial/allow traces |
| 条件 | 操作 | 证据要求 |
|---|---|---|
| 凭证在UI中登录成功但API请求失败 | 验证令牌受众/会话绑定 | 端点级别的认证证明 |
| 注册需要邮箱验证 | 捕获验证状态转换 | 带状态的账户时间线 |
| 部分流程可选MFA | 对比开启/关闭MFA时受保护操作的访问权限 | 角色/操作差异对比 |
| 表面登出成功但令牌仍可使用 | 测试登出/重置后的令牌复用情况 | 登出后重放证明 |
| 角色仅在UI中显示 | 通过特权操作验证后端授权逻辑 | 服务端拒绝/允许的调用轨迹 |
Advanced Coverage Extensions
高级覆盖扩展
- Test session fixation across pre- and post-login states.
- Test parallel session revocation behavior after password change.
- Test role downgrade persistence after privilege changes.
- Test account recovery path for unauthorized account linking.
- Test SSO fallback paths for local-auth bypass.
- 测试登录前后的会话固定漏洞。
- 测试密码修改后并行会话的撤销行为。
- 测试权限变更后角色降级的持久化逻辑。
- 测试账户恢复路径的未授权账户绑定风险。
- 测试SSO回退路径的本地认证绕过风险。