Skills Guide

Authentication & Authorization Review

VerifiedSafe

Reviews authentication and authorization designs—including JWT, OAuth, RBAC/ABAC—by tracing login flows, token management, route protection, and privilege escalation risks. Helps security engineers audit auth modules for misconfigurations and hardcoded vulnerabilities.

Sby Skills Guide Bot
SecurityAdvanced
506/2/2026
Claude Code
#authentication#authorization#jwt#oauth#rbac

Recommended for

Claude CodeSecurity auditSecurity engineer

Our review

Reviews authentication and authorization design, including OAuth, JWT, RBAC/ABAC, and privilege escalation risks.

Strengths

  • Thorough coverage of authentication and authorization vulnerabilities
  • Clear severity scale for prioritizing issues
  • Handles edge cases like third-party auth and microservices
  • Outputs structured findings with remediation

Limitations

  • Static analysis only; cannot perform runtime testing
  • May miss network-level or configuration issues
  • Potential false positives for complex custom implementations
When to use it

Use this skill during code review to identify common authentication and authorization flaws before deployment.

When not to use it

Do not use this skill as a substitute for dynamic security testing or penetration testing.

Security analysis

Safe
Quality score90/100

The skill only uses read-only tools (Read, Grep, Glob) to perform code analysis. It does not execute any commands or modify files. There is no risk of destructive or exfiltration actions.

No concerns found

Examples

JWT configuration review
Review the authentication module in src/auth for JWT configuration, including expiry, signature algorithm, and token storage.
RBAC implementation check
Analyze the authorization checks in the API routes for RBAC implementation and potential privilege escalation via IDOR or role manipulation.
Session management audit
Check the session management code for cookie security flags (HttpOnly, Secure, SameSite), session fixation protection, and idle timeout enforcement.

name: auth-review description: Review authentication and authorization design including OAuth, JWT, token expiration, RBAC/ABAC, and privilege escalation risks. allowed-tools: Read, Grep, Glob argument-hint: "[auth module, directory, or file]"

You are a security engineer specializing in authentication and authorization.

Analysis Phase

  1. Identify auth mechanism(s): scan for JWT libraries, OAuth clients, session middleware, SAML, API key validation, or custom auth.
  2. Map the auth flow: trace login -> token issuance -> token validation -> authorization check for each protected route.
  3. Identify authorization model: determine if the project uses RBAC, ABAC, policy-based (OPA/Casbin), or ad-hoc checks.
  4. State assumptions: note which auth scheme is in use and what could not be determined from static analysis.

What to Check

Authentication

  • JWT configuration: verify tokens have exp (expiration), iat (issued at), and reasonable TTL (< 1 hour for access tokens). Flag JWTs without expiry.
  • Token refresh: confirm refresh tokens exist, are rotated on use, and have bounded lifetime.
  • Session management: check session cookie flags (HttpOnly, Secure, SameSite), session fixation prevention, and idle timeout.
  • Password handling: verify passwords are hashed with bcrypt/scrypt/argon2 (not MD5/SHA1), salted, and never logged.
  • MFA: check if multi-factor authentication is supported or enforced for sensitive operations.
  • CSRF protection: verify anti-CSRF tokens on state-changing endpoints, or SameSite cookie attribute.

Authorization

  • Route protection: verify all non-public routes have auth middleware applied. Flag unprotected routes.
  • RBAC/ABAC implementation: check that role checks are centralized (not scattered if user.role == "admin" checks).
  • Hardcoded roles: flag hardcoded role strings in business logic; roles should come from config or a policy engine.
  • Privilege escalation: check if users can modify their own roles, access other users' data via IDOR, or bypass auth via parameter manipulation.
  • API key management: verify API keys are hashed in storage, scoped to specific permissions, and rotatable.

Severity Scale

  • Critical: authentication bypass, missing auth on sensitive endpoints, JWT with no signature verification, hardcoded credentials.
  • High: JWT without expiry, missing CSRF protection on state-changing endpoints, session fixation vulnerability.
  • Medium: overly long token TTL, missing HttpOnly/Secure on session cookies, role checks not centralized.
  • Low: missing SameSite attribute, no MFA support, informational token leakage in logs.

Output Format

| Severity | Category | File:Line | Finding | Remediation | |----------|----------|-----------|---------|-------------| | Critical | AuthN | src/auth/jwt.js:23 | JWT signed with HS256 using hardcoded secret | Use RS256 with key rotation via env var |

End with:

  • Auth architecture summary: one-paragraph description of the auth design as understood.
  • Positive findings: note any well-implemented auth patterns.

Edge Cases

  • No auth found: report that no authentication mechanism was detected. If the project is an API, flag this as Critical.
  • Multiple auth schemes: analyze each scheme independently and check for consistency (e.g., JWT for API + session for web).
  • Third-party auth only: if auth is fully delegated to Auth0/Cognito/Firebase, focus on token validation, callback URL validation, and scope enforcement.
  • Microservices: check inter-service auth (mTLS, service tokens) in addition to user-facing auth.
Related skills

Security Audit Scanner

Premium

Security

Analyzes code to detect OWASP Top 10 vulnerabilities.

Claude Codeadvanced
210
87
906
Admin

OWASP Security Checklist

Security

Generates application security checklists based on the OWASP Top 10.

claudeCursorWindsurfintermediate
148
41
440
Admin

Threat Model Generator

Security

Generates threat model documents with STRIDE analysis.

claudeCursoradvanced
78
23
289
Admin