auth-security-validator

# Auth Security Validator SKILL

## Activation Patterns

This SKILL automatically activates when:
- Files matching `**/auth/**` are created/modified
- Session configuration files modified (app.config.ts, auth.ts)
- Password hashing code changes
- Cookie configuration changes
- Before deployment operations

## Validation Rules

### P1 - Critical (Block Operations)

**Password Hashing**:
- ✅ Uses Argon2id (`@node-rs/argon2`)
- ❌ NOT using: bcrypt, MD5, SHA-256, plain text
- ✅ Memory cost ≥ 19456 KB
- ✅ Time cost ≥ 2 iterations

**Cookie Security**:
- ✅ `secure: true` (HTTPS-only)
- ✅ `httpOnly: true` (XSS prevention)
- ✅ `sameSite: 'lax'` or `'strict'` (CSRF mitigation)

**Session Configuration**:
- ✅ Session password/secret ≥ 32 characters
- ✅ Max age configured (not infinite)

### P2 - Important (Warn)

**CSRF Protection**:
- ⚠️ CSRF protection enabled (automatic in better-auth)
- ⚠️ No custom form handlers bypassing CSRF

**Rate Limiting**:
- ⚠️ Rate limiting on login endpoint
- ⚠️ Rate limiting on register endpoint
- ⚠️ Rate limiting on password reset

**Input Validation**:
- ⚠️ Email format validation
- ⚠️ Password minimum length (8+ characters)
- ⚠️ Input sanitization

### P3 - Suggestions (Inform)

- ℹ️ Session rotation on privilege escalation
- ℹ️ 2FA/MFA support
- ℹ️ Account lockout after failed attempts
- ℹ️ Password complexity requirements
- ℹ️ OAuth state parameter validation

## Validation Output

```
🔒 Authentication Security Validation

✅ P1 Checks (Critical):
   ✅ Password hashing: Argon2id with correct params
   ✅ Cookies: secure, httpOnly, sameSite configured
   ✅ Session secret: 32+ characters

⚠️ P2 Checks (Important):
   ⚠️ No rate limiting on login endpoint
   ✅ Input validation present
   ✅ CSRF protection enabled

ℹ️ P3 Suggestions:
   ℹ️ Consider adding session rotation
   ℹ️ Consider 2FA for sensitive operations

📋 Summary: 1 warning found
💡 Run /es-auth-setup to fix issues
```

## Security Patterns Detected

**Good Patterns** ✅:
```typesc