zhongwei/gh-varaku1012-aditi-code-plugins-auth0-oauth-plugin
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
master
gh-varaku1012-aditi-code-pl…/commands/oauth-security-audit.md
Zhongwei Li 30a2216ea3 Initial commit
2025-11-30 09:04:20 +08:00

304 lines
8.8 KiB
Markdown
Raw Permalink Blame History

---
description: Security audit checklist for Auth0 OAuth implementation
---
# OAuth Security Audit
Run a comprehensive security audit on your Auth0 implementation.
## Quick Start
```bash
/oauth-security-audit
```
This will check:
- Token security (storage, expiration, rotation)
- OAuth flow security (PKCE, state parameter, CSRF)
- Compliance (GDPR, HIPAA, SOC2)
- Configuration hardening
- Common vulnerabilities
---
## Security Checklist
### Frontend Security
- [ ] **Token Storage**: In-memory or HTTP-only cookies only (NO localStorage)
- Check: `grep -r "localStorage.*token" src/`
- Should be empty
- [ ] **PKCE Enabled**: For SPAs (Authorization Code + PKCE)
- Check: Auth0 React SDK handles automatically ✅
- Or verify custom code includes `code_verifier`
- [ ] **State Parameter**: CSRF protection
- Check: Auth0 SDKs handle automatically ✅
- Or verify `state` parameter in custom auth flow
- [ ] **HTTPS Enforced**: All auth requests over HTTPS
- Check: No `http://` in production callback URLs
- Production callback URLs use `https://`
- [ ] **Token Expiration Short**: Access tokens < 15 minutes
- Check: Auth0 Dashboard → Applications → Settings → Token Expiration
- Should be: 300-900 seconds (5-15 minutes)
- [ ] **Refresh Token Rotation**: Enabled for token refresh
- Check: Auth0 Dashboard → Applications → Settings → Refresh Token Rotation
- Should be: Enabled ✅
- [ ] **Content Security Policy (CSP)**: Restrict script sources
- Check: HTTP header `Content-Security-Policy`
- Should include: `default-src 'self'`
---
### Backend Security
- [ ] **JWT Signature Validation**: Verify token signature
- Check: Code uses `jwt.verify()` with public key
- Should NOT use: `jwt.decode()` (no verification)
- [ ] **Audience Validation**: Check `aud` claim matches API
- Check: `jwt.verify(token, key, { audience: 'https://api.example.com' })`
- Token `aud` must match expected audience
- [ ] **Issuer Validation**: Check `iss` claim matches Auth0 domain
- Check: `jwt.verify(token, key, { issuer: 'https://YOUR_DOMAIN/' })`
- Token `iss` must match Auth0 domain
- [ ] **Algorithm Validation**: Only RS256 (asymmetric)
- Check: `jwt.verify(token, key, { algorithms: ['RS256'] })`
- Should NOT allow: `HS256` (symmetric, security risk)
- [ ] **Scope Validation**: Check scopes for authorization
- Check: Code validates `token.scope` includes required scope
- Example: `if (!scopes.includes('delete:items')) return 403`
- [ ] **No Token in Logs**: Sensitive tokens not logged
- Check: `grep -r "token\|password\|secret" logs/`
- Should be: Sanitized or empty
- [ ] **CORS Configured Properly**: Only allow trusted origins
- Check: `app.use(cors({ origin: ['https://myapp.com'] }))`
- Should NOT be: `origin: '*'` (allows any origin)
---
### Auth0 Configuration Security
- [ ] **MFA Enabled**: Multi-factor authentication required
- Check: Auth0 Dashboard → Connections → Authenticators
- Should have: Google Authenticator, SMS, or Email OTP enabled
- [ ] **Password Policy**: Strong passwords required
- Check: Auth0 Dashboard → Connections → Database → Password Policy
- Should be: "Good" or "Excellent"
- [ ] **Suspicious Activity Detection**: Enabled
- Check: Auth0 Dashboard → Security → Attack Protection
- Should have: Brute force, suspicious IP protection enabled
- [ ] **Logout Clears Session**: User properly logged out
- Check: `/api/auth/logout` clears all session data
- Should have: `logoutParams: { returnTo: safe_url }`
- [ ] **No Overpermissioned Scopes**: Only request necessary scopes
- Check: Auth0 Dashboard → Applications → Settings → Default Audience
- Should be: Minimal (e.g., `openid profile email`)
- [ ] **API Keys Secure**: Secrets not in version control
- Check: `.env` is in `.gitignore`
- Should NOT be in: `git log`, `public files`, `comments`
- [ ] **Rules/Actions Audited**: Custom logic secure
- Check: Auth0 Dashboard → Rules → [Review each rule]
- Should NOT: Grant extra permissions, log passwords, call untrusted APIs
---
### Data Protection & Compliance
- [ ] **GDPR Compliant**: User consent, deletion, portability
- [ ] Consent shown before social login
- [ ] User can request data deletion (via API or form)
- [ ] Data deletion implemented (removes from Auth0 + your DB)
- [ ] Privacy policy links from login page
- [ ] **HIPAA Compliant**: (if handling health data)
- [ ] Business Associate Agreement (BAA) signed with Auth0
- [ ] MFA enforced
- [ ] Audit logging enabled
- [ ] Data encrypted in transit (HTTPS) and at rest
- [ ] **SOC2 Compliant**: If required for compliance
- [ ] Change logs available (Auth0 Logs)
- [ ] Access controls documented
- [ ] Incident response plan in place
- [ ] Regular security assessments done
- [ ] **Data Residency**: Data stored in correct region
- Check: Auth0 Dashboard → Tenants → Region
- EU apps: Select "Europe" region
- US apps: Select "United States" region
---
### Error Handling & Logging
- [ ] **Errors Don't Leak Info**: Auth errors are generic
- Check: Error messages in UI
- Should be: "Login failed" (NOT "Email doesn't exist" or "Invalid password")
- [ ] **Webhook Errors Handled**: Failures don't break auth flow
- Check: Webhook error handler has try/catch
- Should have: Retry logic with exponential backoff
- [ ] **Audit Logs Enabled**: All auth events logged
- Check: Auth0 Dashboard → Logs (shows all login events)
- Should have: 100+ entries with timestamps
- [ ] **Sensitive Data Redacted**: Logs don't contain secrets
- Check: grep -r "password\|token\|secret" logs/
- Should be: Redacted or not logged
---
### Testing
- [ ] **Unit Tests**: Auth components tested
- Check: `npm test` includes auth tests
- Should have: Mock Auth0, test protected routes
- [ ] **Integration Tests**: Auth flow tested end-to-end
- Check: Test login → callback → API call
- Should verify: Token exchange, API access
- [ ] **Security Tests**: Vulnerabilities tested
- [ ] Test expired token handling
- [ ] Test invalid token rejection
- [ ] Test missing scope error (403)
- [ ] Test logout clears session
---
## Security Scoring
**Count your checkmarks**:
- 40+ checked: ✅ **Excellent** (Production ready)
- 30-39 checked: ⚠️ **Good** (Address medium priority items)
- 20-29 checked: ❌ **Fair** (Address high priority items)
- <20 checked: 🚨 **Critical** (Major issues, don't deploy)
---
## Common Vulnerabilities to Fix
### 1. Token Leakage (Critical)
```javascript
// WRONG ❌
localStorage.setItem('token', accessToken)
sessionStorage.setItem('token', accessToken)
// RIGHT ✅
// Use Auth0 SDK (in-memory storage)
// Or for Next.js (HTTP-only cookies)
```
### 2. Missing PKCE (High)
```javascript
// WRONG ❌
// No code_verifier or code_challenge
// RIGHT ✅
// Use Auth0 React SDK (automatic PKCE)
// Or custom: include code_verifier in token exchange
```
### 3. Wrong Token Type (High)
```javascript
// WRONG ❌
const idToken = getIDToken()
fetch('/api/items', {
headers: { Authorization: `Bearer ${idToken}` }
})
// RIGHT ✅
const accessToken = getAccessToken()
fetch('/api/items', {
headers: { Authorization: `Bearer ${accessToken}` }
})
```
### 4. No Audience Validation (High)
```typescript
// WRONG ❌
jwt.verify(token, publicKey) // No audience check
// RIGHT ✅
jwt.verify(token, publicKey, {
audience: 'https://api.myapp.com'
})
```
### 5. Scope Not Checked (Medium)
```typescript
// WRONG ❌
app.delete('/items/:id', checkJwt, (req, res) => {
// Delete without scope check
res.json({ deleted: true })
})
// RIGHT ✅
app.delete('/items/:id', checkJwt, (req, res) => {
const scopes = req.auth.scope?.split(' ') || []
if (!scopes.includes('delete:items')) {
return res.status(403).json({ error: 'Insufficient permissions' })
}
res.json({ deleted: true })
})
```
---
## Remediation Priority
### Priority 1 (Fix immediately - before production)
- [ ] Token storage (localStorage → in-memory)
- [ ] JWT signature validation
- [ ] Audience validation
- [ ] HTTPS enforced
### Priority 2 (Fix within 1 week)
- [ ] Scope validation in API
- [ ] MFA enabled
- [ ] Audit logging
- [ ] CSRF protection (state parameter)
### Priority 3 (Fix within 1 month)
- [ ] Compliance (GDPR, HIPAA)
- [ ] Webhook error handling
- [ ] Security testing
- [ ] Incident response plan
---
## Next Steps
1. **Review this checklist** with your team
2. **Fix high-priority items** (Priority 1)
3. **Run again**: `/oauth-security-audit`
4. **If issues remain**: `/oauth-troubleshoot` for help
---
**Score**: [X] / 45 items checked
Reference in New Issue View Git Blame Copy Permalink