Auth Security Audit

2. Role-Based Access Control (RBAC)

Verify the "Least Privilege" principle.

• Vertical Escalation: Can a Resident access Admin endpoints by changing an ID?
• Horizontal Escalation: Can a Resident access data from another Resident in the same residential?
• Missing Guards: Are there exposed endpoints without any role check?
• Guard Bypass: Can roles be spoofed via client-side state?

3. Session & Interaction Security

• Secure Defaults: Are cookies marked as HttpOnly, Secure (in prod), and SameSite=Strict?
• Logout Integrity: Does logout actually invalidate the session server-side (if stateful) or just clear client state?
• Brute Force Protection: Rate limiting on login/reset attempts.

What this skill does NOT review (Avoid overlap)

• Token Lifecycle: Specific JWT expiration, refresh rotation, or validation algorithm details (Use token-expiration-check).
• Code Logic: General functional correctness (Use backend-code-review).

Mandatory Output Format

1. Vulnerability Summary

List of identified security risks categorized by severity (CRITICAL, HIGH, MEDIUM, LOW).

2. RBAC Mapping Audit

Table showing checked endpoints and whether they correctly enforce the required role.

3. Recommendation Roadmap

Immediate actions to mitigate identified risks.