Stats
Actions
Tags
Validate authentication mechanisms for security weaknesses and compliance. Use when reviewing login systems or auth flows. Trigger with 'validate authentication', 'check auth security', or 'review login'.
How this skill is triggered — by the user, by Claude, or both
Slash command
/authentication-validator:validating-authentication-implementationsThis skill is limited to the following tools:
The summary Claude sees in its skill listing — used to decide when to auto-load this skill
Validate authentication mechanisms across web applications, APIs, and backend
Validate authentication mechanisms across web applications, APIs, and backend services for security weaknesses, compliance gaps, and implementation flaws. This skill examines password hashing, JWT token handling, session management, OAuth flows, MFA implementation, and account security controls against OWASP and NIST standards.
${CLAUDE_SKILL_DIR}/${CLAUDE_SKILL_DIR}/references/README.md for OWASP authentication cheat sheet, NIST password guidelines, and JWT RFC specificationsnone, flag HS256 with weak secrets), verify exp, iat, aud, and iss claims are validated, confirm tokens are not stored in localStorage (XSS exposure), and check for proper refresh token rotation.HttpOnly, Secure, and SameSite=Strict or SameSite=Lax attributes, and session fixation protections are in place.state parameter usage for CSRF protection, validate redirect URI whitelisting, check PKCE implementation for public clients, and verify token storage security.| Error | Cause | Solution |
|---|---|---|
| No authentication code found | Incorrect scan scope or unconventional auth patterns | Broaden Grep patterns; check for third-party auth services (Auth0, Firebase Auth, Cognito) configured externally |
| Cannot determine hashing algorithm | Hashing abstracted behind framework | Inspect framework configuration files (e.g., config/auth.php, settings.py) for algorithm settings |
| JWT library version unknown | Dynamic dependency resolution | Check lock files (package-lock.json, poetry.lock) for pinned versions and cross-reference known vulnerabilities |
| Session config not in codebase | Session management handled by infrastructure | Check reverse proxy configs (nginx, Apache), cloud session stores (Redis, DynamoDB), or PaaS settings |
| Rate limiting not detectable | Rate limiting at infrastructure layer | Note as "unverifiable from codebase" and recommend confirming at the infrastructure level |
Scan ${CLAUDE_SKILL_DIR}/src/auth/ and ${CLAUDE_SKILL_DIR}/src/middleware/ for JWT signing and
verification logic. Flag any use of jwt.sign() with algorithm: 'none' or
HS256 paired with a secret shorter than 256 bits as CWE-327 (Use of Broken
Crypto Algorithm), severity critical. Verify that jwt.verify() validates
exp, aud, and iss claims.
Grep for bcrypt, argon2, scrypt, hashSync, pbkdf2 across the
codebase. If password hashing uses crypto.createHash('md5') or
hashlib.sha256() without PBKDF2 wrapping, flag as CWE-916, severity critical.
Verify salt generation uses crypto.randomBytes() or equivalent CSPRNG.
Locate session configuration in ${CLAUDE_SKILL_DIR}/config/ or middleware setup files.
Verify cookie attributes include httpOnly: true, secure: true,
sameSite: 'strict', and maxAge under 24 hours. Flag missing httpOnly as
CWE-1004 (Sensitive Cookie Without HttpOnly), severity high.
Provides CDSS development patterns for drug interaction checking, dose validation, clinical scoring (NEWS2, qSOFA), and alert classification integrated into EMR workflows.
npx claudepluginhub flight505/skill-forge --plugin authentication-validator