audit: Authentication and authorization flows

[Snider]

Security Audit: Authentication & Authorization

Deep dive into auth mechanisms and access control.

Authentication Review

1. Password Handling

   • Hashing algorithm (bcrypt/argon2?)
   • Salt usage
   • Password requirements
   • Reset flow security

2. Session Management

   • Session ID generation
   • Session fixation protection
   • Timeout policies
   • Concurrent session handling

3. Token Security

   • JWT implementation (if used)
   • Token storage (httpOnly? secure?)
   • Refresh token rotation
   • Token revocation

4. Multi-factor

   • MFA implementation
   • Bypass vulnerabilities
   • Recovery codes

Authorization Review

1. Access Control Model - RBAC? ABAC? ACL?
2. Permission Checks - Consistent? Centralized?
3. Privilege Escalation - Horizontal/vertical
4. API Authorization - Every endpoint protected?
5. Resource Ownership - IDOR vulnerabilities?

Output

Save to AUDIT-AUTH.md

Include attack scenarios and proof-of-concept where possible.

[google-labs-jules]

Jules is on it. When finished, you will see another comment and be able to review a PR.

[google-labs-jules]

Ready for a review! A PR has been created.