Auth Audit Skill

Overview

Audit Categories

Workflow

1. Detect auth implementation (JWT, sessions, OAuth)
2. Scan for known anti-patterns
3. Verify cryptographic choices
4. Check token/session lifecycle
5. Audit authorization logic (RBAC, ABAC)

Common Vulnerabilities

• JWT signed with

  none

  algorithm
• JWT secret too short (< 256 bits)
• No token expiration or too long
• Refresh tokens stored in localStorage
• Session fixation after login
• Missing CSRF protection
• OAuth without PKCE for public clients
• Missing

  state

  parameter in OAuth flow

References

• Auth Patterns
• Auth Checklist