Authn/Authz Review
When to use
Use this skill when reviewing login, session management, token validation, or authorization checks.
Inputs to collect (if available)
- •Auth model (session cookie vs bearer token vs mTLS)
- •Deployment assumptions (internet-facing, internal-only, multi-tenant)
- •Sensitive assets (PII, admin actions, money movement)
- •Known roles/scopes/claims and intended policies
Step-by-step process
- •Identify identities and trust boundaries
- •Who is the user/service? How is identity asserted (cookie, bearer token, mTLS)?
- •Where does authorization decision happen? Where is it enforced?
- •Authentication checks
- •Password handling: hashing, rate limits, lockouts, MFA hooks
- •Session/token: issuance, expiry, rotation, revocation, audience/issuer validation
- •Transport: TLS-only, secure cookie flags, CSRF defenses for cookie auth
- •Authorization checks
- •Define resources + actions (e.g.,
invoice:read,admin:user:delete) - •Ensure checks are server-side and close to the boundary
- •Watch for IDOR: user-controlled identifiers without ownership checks
- •Define resources + actions (e.g.,
- •Multi-tenant & privilege boundaries
- •Tenant scoping on every query
- •Admin vs user code paths; "act as" features
- •Abuse cases
- •Replay, token substitution, privilege escalation, forced browsing
- •Deliver fixes
- •Centralize policy decisions (middleware/service)
- •Add negative tests for bypass attempts
Output checklist
- •Token/session validation requirements
- •Required claims/roles/scopes
- •Authorization enforcement points
- •Test cases to prevent bypass
Repo integration (optional)
Related prompts:
- •
review-auth-flows.prompt.md - •
check-access-controls.prompt.md
Output format
- •Summary: scope + top 3 risks + overall risk
- •Findings (repeat): issue, severity/likelihood, where, evidence, recommendation, verification
- •Policy checklist: required claims/roles/scopes + enforcement points
Examples
- •“Cookie session app” → verify
HttpOnly/Secure/SameSite, CSRF defenses, and session rotation on privilege change.