Securityfusengine

auth-audit

Audit authentication and authorization patterns. Checks JWT, sessions, OAuth2, PKCE implementations for security best practices and common vulnerabilities.

Stars: 13
Source: fusengine/agents
Updated: 2026-05-17
Slug: fusengine--agents--auth-audit

View on GitHub Raw SKILL.md

// install — copy + paste into any project

mkdir -p .claude/skills && curl -fsSL https://raw.githubusercontent.com/fusengine/agents/HEAD/plugins/security-expert/skills/auth-audit/SKILL.md -o .claude/skills/auth-audit.md

Drops the SKILL.md into .claude/skills/auth-audit.md. Works with Claude Code, Cursor, and any agent that loads SKILL.md files from .claude/skills/.

Auth Audit Skill

Overview

Comprehensive audit of authentication and authorization implementations.

Audit Categories

Category	Checks
JWT	Signing algo, expiration, refresh, storage
Sessions	Storage, expiry, regeneration, fixation
OAuth2	PKCE, state param, redirect validation
Passwords	Hashing algo, strength rules, reset flow
MFA	Implementation, backup codes, recovery

Workflow

Detect auth implementation (JWT, sessions, OAuth)
Scan for known anti-patterns
Verify cryptographic choices
Check token/session lifecycle
Audit authorization logic (RBAC, ABAC)

Common Vulnerabilities

JWT signed with none algorithm
JWT secret too short (< 256 bits)
No token expiration or too long
Refresh tokens stored in localStorage
Session fixation after login
Missing CSRF protection
OAuth without PKCE for public clients
Missing state parameter in OAuth flow

References