Auth Security Validator SKILL

Activation Patterns

This SKILL automatically activates when:

• Files matching **/auth/** are created/modified
• Session configuration files modified (app.config.ts, auth.ts)
• Password hashing code changes
• Cookie configuration changes
• Before deployment operations

Validation Rules

P1 - Critical (Block Operations)

Password Hashing:

• ✅ Uses Argon2id (@node-rs/argon2)
• ❌ NOT using: bcrypt, MD5, SHA-256, plain text
• ✅ Memory cost ≥ 19456 KB
• ✅ Time cost ≥ 2 iterations

Cookie Security:

• ✅ secure: true (HTTPS-only)
• ✅ httpOnly: true (XSS prevention)
• ✅ sameSite: 'lax' or 'strict' (CSRF mitigation)

Session Configuration:

• ✅ Session password/secret ≥ 32 characters
• ✅ Max age configured (not infinite)

P2 - Important (Warn)

CSRF Protection:

• ⚠️ CSRF protection enabled (automatic in better-auth)
• ⚠️ No custom form handlers bypassing CSRF

Rate Limiting:

• ⚠️ Rate limiting on login endpoint
• ⚠️ Rate limiting on register endpoint
• ⚠️ Rate limiting on password reset

Input Validation:

• ⚠️ Email format validation
• ⚠️ Password minimum length (8+ characters)
• ⚠️ Input sanitization

P3 - Suggestions (Inform)

• ℹ️ Session rotation on privilege escalation
• ℹ️ 2FA/MFA support
• ℹ️ Account lockout after failed attempts
• ℹ️ Password complexity requirements
• ℹ️ OAuth state parameter validation

Validation Output

🔒 Authentication Security Validation

✅ P1 Checks (Critical):
   ✅ Password hashing: Argon2id with correct params
   ✅ Cookies: secure, httpOnly, sameSite configured
   ✅ Session secret: 32+ characters

⚠️ P2 Checks (Important):
   ⚠️ No rate limiting on login endpoint
   ✅ Input validation present
   ✅ CSRF protection enabled

ℹ️ P3 Suggestions:
   ℹ️ Consider adding session rotation
   ℹ️ Consider 2FA for sensitive operations

📋 Summary: 1 warning found
💡 Run /es-auth-setup to fix issues

Security Patterns Detected

Good Patterns ✅:

// Argon2id with correct params
const hash = await argon2.hash(password, {
  memoryCost: 19456,
  timeCost: 2,
  outputLen: 32,
  parallelism: 1
});

// Secure cookie config
cookie: {
  secure: true,
  httpOnly: true,
  sameSite: 'lax'
}

Bad Patterns ❌:

// Weak hashing
const hash = crypto.createHash('sha256').update(password).digest('hex'); // ❌

// Insecure cookies
cookie: {
  secure: false, // ❌
  httpOnly: false // ❌
}

// Weak session secret
password: '12345' // ❌ Too short

Escalation

Complex scenarios escalate to better-auth-specialist agent:

• Custom authentication flows
• Advanced OAuth configuration
• Passkey implementation
• Multi-factor authentication setup
• Security audit requirements

Notes

• Runs automatically on auth-related file changes
• Can block deployments with P1 security issues
• Follows OWASP Top 10 guidelines
• Integrates with /validate and /es-deploy commands
• Queries better-auth MCP for provider security requirements