@brunosps00/dev-workflow 0.0.3 → 0.0.6
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +42 -42
- package/bin/dev-workflow.js +6 -4
- package/lib/constants.js +42 -40
- package/lib/init.js +66 -19
- package/package.json +1 -1
- package/scaffold/en/commands/{analyze-project.md → dw-analyze-project.md} +69 -40
- package/scaffold/en/commands/{brainstorm.md → dw-brainstorm.md} +31 -4
- package/scaffold/en/commands/{bugfix.md → dw-bugfix.md} +63 -19
- package/scaffold/en/commands/{code-review.md → dw-code-review.md} +38 -15
- package/scaffold/en/commands/{commit.md → dw-commit.md} +25 -0
- package/scaffold/en/commands/{create-prd.md → dw-create-prd.md} +24 -10
- package/scaffold/en/commands/{create-tasks.md → dw-create-tasks.md} +11 -4
- package/scaffold/en/commands/{create-techspec.md → dw-create-techspec.md} +38 -11
- package/scaffold/en/commands/{deep-research.md → dw-deep-research.md} +18 -17
- package/scaffold/en/commands/{fix-qa.md → dw-fix-qa.md} +20 -3
- package/scaffold/en/commands/dw-functional-doc.md +276 -0
- package/scaffold/en/commands/{generate-pr.md → dw-generate-pr.md} +20 -5
- package/scaffold/en/commands/dw-help.md +309 -0
- package/scaffold/en/commands/{refactoring-analysis.md → dw-refactoring-analysis.md} +50 -26
- package/scaffold/en/commands/{review-implementation.md → dw-review-implementation.md} +25 -6
- package/scaffold/en/commands/{run-plan.md → dw-run-plan.md} +21 -6
- package/scaffold/en/commands/{run-qa.md → dw-run-qa.md} +32 -13
- package/scaffold/en/commands/{run-task.md → dw-run-task.md} +17 -7
- package/scaffold/en/references/playwright-patterns.md +136 -0
- package/scaffold/en/references/refactoring-catalog.md +167 -0
- package/scaffold/en/templates/brainstorm-matrix.md +44 -0
- package/scaffold/en/templates/functional-doc/case-matrix.md +5 -0
- package/scaffold/en/templates/functional-doc/e2e-runbook.md +3 -0
- package/scaffold/en/templates/functional-doc/features.md +3 -0
- package/scaffold/en/templates/functional-doc/overview.md +21 -0
- package/scaffold/en/templates/functional-doc/playwright.spec.ts.tpl +19 -0
- package/scaffold/en/templates/pr-bugfix-template.md +28 -0
- package/scaffold/en/templates/qa-test-credentials.md +37 -0
- package/scaffold/en/templates/tasks-template.md +1 -1
- package/scaffold/en/templates/techspec-template.md +1 -1
- package/scaffold/pt-br/commands/{analyze-project.md → dw-analyze-project.md} +94 -44
- package/scaffold/pt-br/commands/{brainstorm.md → dw-brainstorm.md} +32 -5
- package/scaffold/pt-br/commands/{bugfix.md → dw-bugfix.md} +73 -16
- package/scaffold/pt-br/commands/{code-review.md → dw-code-review.md} +80 -17
- package/scaffold/pt-br/commands/{commit.md → dw-commit.md} +45 -1
- package/scaffold/pt-br/commands/{create-prd.md → dw-create-prd.md} +25 -10
- package/scaffold/pt-br/commands/{create-tasks.md → dw-create-tasks.md} +24 -17
- package/scaffold/pt-br/commands/{create-techspec.md → dw-create-techspec.md} +40 -13
- package/scaffold/pt-br/commands/{deep-research.md → dw-deep-research.md} +19 -11
- package/scaffold/pt-br/commands/{fix-qa.md → dw-fix-qa.md} +30 -1
- package/scaffold/pt-br/commands/dw-functional-doc.md +276 -0
- package/scaffold/pt-br/commands/{generate-pr.md → dw-generate-pr.md} +61 -6
- package/scaffold/pt-br/commands/dw-help.md +248 -0
- package/scaffold/pt-br/commands/{refactoring-analysis.md → dw-refactoring-analysis.md} +49 -25
- package/scaffold/pt-br/commands/{review-implementation.md → dw-review-implementation.md} +53 -5
- package/scaffold/pt-br/commands/{run-plan.md → dw-run-plan.md} +100 -12
- package/scaffold/pt-br/commands/{run-qa.md → dw-run-qa.md} +93 -18
- package/scaffold/pt-br/commands/{run-task.md → dw-run-task.md} +35 -10
- package/scaffold/pt-br/references/playwright-patterns.md +133 -0
- package/scaffold/pt-br/references/refactoring-catalog.md +166 -0
- package/scaffold/pt-br/templates/brainstorm-matrix.md +44 -0
- package/scaffold/pt-br/templates/functional-doc/case-matrix.md +5 -0
- package/scaffold/pt-br/templates/functional-doc/e2e-runbook.md +3 -0
- package/scaffold/pt-br/templates/functional-doc/features.md +3 -0
- package/scaffold/pt-br/templates/functional-doc/overview.md +21 -0
- package/scaffold/pt-br/templates/functional-doc/playwright.spec.ts.tpl +19 -0
- package/scaffold/pt-br/templates/pr-bugfix-template.md +28 -0
- package/scaffold/pt-br/templates/qa-test-credentials.md +37 -0
- package/scaffold/pt-br/templates/tasks-template.md +2 -2
- package/scaffold/pt-br/templates/techspec-template.md +1 -1
- package/scaffold/rules-readme.md +3 -3
- package/scaffold/scripts/functional-doc/generate-dossier.mjs +821 -0
- package/scaffold/scripts/functional-doc/run-playwright-flow.mjs +275 -0
- package/scaffold/skills/agent-browser/SKILL.md +750 -0
- package/scaffold/skills/agent-browser/references/authentication.md +303 -0
- package/scaffold/skills/agent-browser/references/commands.md +295 -0
- package/scaffold/skills/agent-browser/references/profiling.md +120 -0
- package/scaffold/skills/agent-browser/references/proxy-support.md +194 -0
- package/scaffold/skills/agent-browser/references/session-management.md +193 -0
- package/scaffold/skills/agent-browser/references/snapshot-refs.md +219 -0
- package/scaffold/skills/agent-browser/references/video-recording.md +173 -0
- package/scaffold/skills/agent-browser/templates/authenticated-session.sh +105 -0
- package/scaffold/skills/agent-browser/templates/capture-workflow.sh +69 -0
- package/scaffold/skills/agent-browser/templates/form-automation.sh +62 -0
- package/scaffold/skills/humanizer/README.md +143 -0
- package/scaffold/skills/humanizer/SKILL.md +488 -0
- package/scaffold/skills/humanizer/WARP.md +53 -0
- package/scaffold/skills/remotion-best-practices/SKILL.md +61 -0
- package/scaffold/skills/remotion-best-practices/rules/3d.md +86 -0
- package/scaffold/skills/remotion-best-practices/rules/animations.md +27 -0
- package/scaffold/skills/remotion-best-practices/rules/assets/charts-bar-chart.tsx +173 -0
- package/scaffold/skills/remotion-best-practices/rules/assets/text-animations-typewriter.tsx +100 -0
- package/scaffold/skills/remotion-best-practices/rules/assets/text-animations-word-highlight.tsx +103 -0
- package/scaffold/skills/remotion-best-practices/rules/assets.md +78 -0
- package/scaffold/skills/remotion-best-practices/rules/audio-visualization.md +198 -0
- package/scaffold/skills/remotion-best-practices/rules/audio.md +169 -0
- package/scaffold/skills/remotion-best-practices/rules/calculate-metadata.md +134 -0
- package/scaffold/skills/remotion-best-practices/rules/can-decode.md +75 -0
- package/scaffold/skills/remotion-best-practices/rules/charts.md +120 -0
- package/scaffold/skills/remotion-best-practices/rules/compositions.md +154 -0
- package/scaffold/skills/remotion-best-practices/rules/display-captions.md +184 -0
- package/scaffold/skills/remotion-best-practices/rules/extract-frames.md +229 -0
- package/scaffold/skills/remotion-best-practices/rules/ffmpeg.md +38 -0
- package/scaffold/skills/remotion-best-practices/rules/fonts.md +152 -0
- package/scaffold/skills/remotion-best-practices/rules/get-audio-duration.md +58 -0
- package/scaffold/skills/remotion-best-practices/rules/get-video-dimensions.md +68 -0
- package/scaffold/skills/remotion-best-practices/rules/get-video-duration.md +60 -0
- package/scaffold/skills/remotion-best-practices/rules/gifs.md +141 -0
- package/scaffold/skills/remotion-best-practices/rules/images.md +134 -0
- package/scaffold/skills/remotion-best-practices/rules/import-srt-captions.md +69 -0
- package/scaffold/skills/remotion-best-practices/rules/light-leaks.md +73 -0
- package/scaffold/skills/remotion-best-practices/rules/lottie.md +70 -0
- package/scaffold/skills/remotion-best-practices/rules/maps.md +412 -0
- package/scaffold/skills/remotion-best-practices/rules/measuring-dom-nodes.md +34 -0
- package/scaffold/skills/remotion-best-practices/rules/measuring-text.md +140 -0
- package/scaffold/skills/remotion-best-practices/rules/parameters.md +109 -0
- package/scaffold/skills/remotion-best-practices/rules/sequencing.md +118 -0
- package/scaffold/skills/remotion-best-practices/rules/sfx.md +26 -0
- package/scaffold/skills/remotion-best-practices/rules/subtitles.md +36 -0
- package/scaffold/skills/remotion-best-practices/rules/tailwind.md +11 -0
- package/scaffold/skills/remotion-best-practices/rules/text-animations.md +20 -0
- package/scaffold/skills/remotion-best-practices/rules/timing.md +179 -0
- package/scaffold/skills/remotion-best-practices/rules/transcribe-captions.md +70 -0
- package/scaffold/skills/remotion-best-practices/rules/transitions.md +197 -0
- package/scaffold/skills/remotion-best-practices/rules/transparent-videos.md +106 -0
- package/scaffold/skills/remotion-best-practices/rules/trimming.md +51 -0
- package/scaffold/skills/remotion-best-practices/rules/videos.md +171 -0
- package/scaffold/skills/remotion-best-practices/rules/voiceover.md +99 -0
- package/scaffold/skills/security-review/LICENSE +22 -0
- package/scaffold/skills/security-review/SKILL.md +312 -0
- package/scaffold/skills/security-review/infrastructure/docker.md +432 -0
- package/scaffold/skills/security-review/languages/javascript.md +388 -0
- package/scaffold/skills/security-review/languages/python.md +363 -0
- package/scaffold/skills/security-review/references/api-security.md +519 -0
- package/scaffold/skills/security-review/references/authentication.md +353 -0
- package/scaffold/skills/security-review/references/authorization.md +372 -0
- package/scaffold/skills/security-review/references/business-logic.md +443 -0
- package/scaffold/skills/security-review/references/cryptography.md +329 -0
- package/scaffold/skills/security-review/references/csrf.md +398 -0
- package/scaffold/skills/security-review/references/data-protection.md +378 -0
- package/scaffold/skills/security-review/references/deserialization.md +410 -0
- package/scaffold/skills/security-review/references/error-handling.md +436 -0
- package/scaffold/skills/security-review/references/file-security.md +457 -0
- package/scaffold/skills/security-review/references/injection.md +259 -0
- package/scaffold/skills/security-review/references/logging.md +433 -0
- package/scaffold/skills/security-review/references/misconfiguration.md +435 -0
- package/scaffold/skills/security-review/references/modern-threats.md +475 -0
- package/scaffold/skills/security-review/references/ssrf.md +415 -0
- package/scaffold/skills/security-review/references/supply-chain.md +405 -0
- package/scaffold/skills/security-review/references/xss.md +336 -0
- package/scaffold/skills/vercel-react-best-practices/AGENTS.md +3648 -0
- package/scaffold/skills/vercel-react-best-practices/README.md +123 -0
- package/scaffold/skills/vercel-react-best-practices/SKILL.md +146 -0
- package/scaffold/skills/vercel-react-best-practices/rules/_sections.md +46 -0
- package/scaffold/skills/vercel-react-best-practices/rules/_template.md +28 -0
- package/scaffold/skills/vercel-react-best-practices/rules/advanced-event-handler-refs.md +55 -0
- package/scaffold/skills/vercel-react-best-practices/rules/advanced-init-once.md +42 -0
- package/scaffold/skills/vercel-react-best-practices/rules/advanced-use-latest.md +39 -0
- package/scaffold/skills/vercel-react-best-practices/rules/async-api-routes.md +38 -0
- package/scaffold/skills/vercel-react-best-practices/rules/async-cheap-condition-before-await.md +37 -0
- package/scaffold/skills/vercel-react-best-practices/rules/async-defer-await.md +82 -0
- package/scaffold/skills/vercel-react-best-practices/rules/async-dependencies.md +51 -0
- package/scaffold/skills/vercel-react-best-practices/rules/async-parallel.md +28 -0
- package/scaffold/skills/vercel-react-best-practices/rules/async-suspense-boundaries.md +99 -0
- package/scaffold/skills/vercel-react-best-practices/rules/bundle-barrel-imports.md +60 -0
- package/scaffold/skills/vercel-react-best-practices/rules/bundle-conditional.md +31 -0
- package/scaffold/skills/vercel-react-best-practices/rules/bundle-defer-third-party.md +49 -0
- package/scaffold/skills/vercel-react-best-practices/rules/bundle-dynamic-imports.md +35 -0
- package/scaffold/skills/vercel-react-best-practices/rules/bundle-preload.md +50 -0
- package/scaffold/skills/vercel-react-best-practices/rules/client-event-listeners.md +74 -0
- package/scaffold/skills/vercel-react-best-practices/rules/client-localstorage-schema.md +71 -0
- package/scaffold/skills/vercel-react-best-practices/rules/client-passive-event-listeners.md +48 -0
- package/scaffold/skills/vercel-react-best-practices/rules/client-swr-dedup.md +56 -0
- package/scaffold/skills/vercel-react-best-practices/rules/js-batch-dom-css.md +107 -0
- package/scaffold/skills/vercel-react-best-practices/rules/js-cache-function-results.md +80 -0
- package/scaffold/skills/vercel-react-best-practices/rules/js-cache-property-access.md +28 -0
- package/scaffold/skills/vercel-react-best-practices/rules/js-cache-storage.md +70 -0
- package/scaffold/skills/vercel-react-best-practices/rules/js-combine-iterations.md +32 -0
- package/scaffold/skills/vercel-react-best-practices/rules/js-early-exit.md +50 -0
- package/scaffold/skills/vercel-react-best-practices/rules/js-flatmap-filter.md +60 -0
- package/scaffold/skills/vercel-react-best-practices/rules/js-hoist-regexp.md +45 -0
- package/scaffold/skills/vercel-react-best-practices/rules/js-index-maps.md +37 -0
- package/scaffold/skills/vercel-react-best-practices/rules/js-length-check-first.md +49 -0
- package/scaffold/skills/vercel-react-best-practices/rules/js-min-max-loop.md +82 -0
- package/scaffold/skills/vercel-react-best-practices/rules/js-request-idle-callback.md +105 -0
- package/scaffold/skills/vercel-react-best-practices/rules/js-set-map-lookups.md +24 -0
- package/scaffold/skills/vercel-react-best-practices/rules/js-tosorted-immutable.md +57 -0
- package/scaffold/skills/vercel-react-best-practices/rules/rendering-activity.md +26 -0
- package/scaffold/skills/vercel-react-best-practices/rules/rendering-animate-svg-wrapper.md +47 -0
- package/scaffold/skills/vercel-react-best-practices/rules/rendering-conditional-render.md +40 -0
- package/scaffold/skills/vercel-react-best-practices/rules/rendering-content-visibility.md +38 -0
- package/scaffold/skills/vercel-react-best-practices/rules/rendering-hoist-jsx.md +46 -0
- package/scaffold/skills/vercel-react-best-practices/rules/rendering-hydration-no-flicker.md +82 -0
- package/scaffold/skills/vercel-react-best-practices/rules/rendering-hydration-suppress-warning.md +30 -0
- package/scaffold/skills/vercel-react-best-practices/rules/rendering-resource-hints.md +85 -0
- package/scaffold/skills/vercel-react-best-practices/rules/rendering-script-defer-async.md +68 -0
- package/scaffold/skills/vercel-react-best-practices/rules/rendering-svg-precision.md +28 -0
- package/scaffold/skills/vercel-react-best-practices/rules/rendering-usetransition-loading.md +75 -0
- package/scaffold/skills/vercel-react-best-practices/rules/rerender-defer-reads.md +39 -0
- package/scaffold/skills/vercel-react-best-practices/rules/rerender-dependencies.md +45 -0
- package/scaffold/skills/vercel-react-best-practices/rules/rerender-derived-state-no-effect.md +40 -0
- package/scaffold/skills/vercel-react-best-practices/rules/rerender-derived-state.md +29 -0
- package/scaffold/skills/vercel-react-best-practices/rules/rerender-functional-setstate.md +74 -0
- package/scaffold/skills/vercel-react-best-practices/rules/rerender-lazy-state-init.md +58 -0
- package/scaffold/skills/vercel-react-best-practices/rules/rerender-memo-with-default-value.md +38 -0
- package/scaffold/skills/vercel-react-best-practices/rules/rerender-memo.md +44 -0
- package/scaffold/skills/vercel-react-best-practices/rules/rerender-move-effect-to-event.md +45 -0
- package/scaffold/skills/vercel-react-best-practices/rules/rerender-no-inline-components.md +82 -0
- package/scaffold/skills/vercel-react-best-practices/rules/rerender-simple-expression-in-memo.md +35 -0
- package/scaffold/skills/vercel-react-best-practices/rules/rerender-split-combined-hooks.md +64 -0
- package/scaffold/skills/vercel-react-best-practices/rules/rerender-transitions.md +40 -0
- package/scaffold/skills/vercel-react-best-practices/rules/rerender-use-deferred-value.md +59 -0
- package/scaffold/skills/vercel-react-best-practices/rules/rerender-use-ref-transient-values.md +73 -0
- package/scaffold/skills/vercel-react-best-practices/rules/server-after-nonblocking.md +73 -0
- package/scaffold/skills/vercel-react-best-practices/rules/server-auth-actions.md +96 -0
- package/scaffold/skills/vercel-react-best-practices/rules/server-cache-lru.md +41 -0
- package/scaffold/skills/vercel-react-best-practices/rules/server-cache-react.md +76 -0
- package/scaffold/skills/vercel-react-best-practices/rules/server-dedup-props.md +65 -0
- package/scaffold/skills/vercel-react-best-practices/rules/server-hoist-static-io.md +149 -0
- package/scaffold/skills/vercel-react-best-practices/rules/server-parallel-fetching.md +83 -0
- package/scaffold/skills/vercel-react-best-practices/rules/server-parallel-nested-fetching.md +34 -0
- package/scaffold/skills/vercel-react-best-practices/rules/server-serialization.md +38 -0
- package/scaffold/skills/webapp-testing/SKILL.md +133 -0
- package/scaffold/skills/webapp-testing/assets/test-helper.js +56 -0
- package/scaffold/en/commands/help.md +0 -289
- package/scaffold/pt-br/commands/help.md +0 -226
|
@@ -0,0 +1,353 @@
|
|
|
1
|
+
# Authentication Security Reference
|
|
2
|
+
|
|
3
|
+
## Password Requirements
|
|
4
|
+
|
|
5
|
+
### Strength Requirements
|
|
6
|
+
|
|
7
|
+
| Context | Minimum Length | Maximum Length |
|
|
8
|
+
|---------|---------------|----------------|
|
|
9
|
+
| With MFA | 8 characters | At least 64 characters |
|
|
10
|
+
| Without MFA | 15 characters | At least 64 characters |
|
|
11
|
+
|
|
12
|
+
**Composition Rules:**
|
|
13
|
+
- Allow all printable characters including spaces and Unicode
|
|
14
|
+
- No mandatory complexity rules (uppercase, numbers, symbols)
|
|
15
|
+
- No periodic forced password changes
|
|
16
|
+
- Check against breached password databases (e.g., Have I Been Pwned)
|
|
17
|
+
- Implement password strength meters (e.g., zxcvbn)
|
|
18
|
+
|
|
19
|
+
### Password Storage
|
|
20
|
+
|
|
21
|
+
**Recommended Algorithms (in order of preference):**
|
|
22
|
+
|
|
23
|
+
1. **Argon2id** (preferred)
|
|
24
|
+
```
|
|
25
|
+
Memory: minimum 19 MiB (19456 KB)
|
|
26
|
+
Iterations: minimum 2
|
|
27
|
+
Parallelism: 1
|
|
28
|
+
```
|
|
29
|
+
|
|
30
|
+
2. **scrypt**
|
|
31
|
+
```
|
|
32
|
+
CPU/memory cost (N): 2^17
|
|
33
|
+
Block size (r): 8
|
|
34
|
+
Parallelization (p): 1
|
|
35
|
+
```
|
|
36
|
+
|
|
37
|
+
3. **bcrypt** (legacy systems)
|
|
38
|
+
```
|
|
39
|
+
Work factor: minimum 10 (ideally 12+)
|
|
40
|
+
Maximum password length: 72 bytes
|
|
41
|
+
```
|
|
42
|
+
|
|
43
|
+
4. **PBKDF2** (FIPS-required environments)
|
|
44
|
+
```
|
|
45
|
+
Iterations: minimum 600,000 with HMAC-SHA-256
|
|
46
|
+
```
|
|
47
|
+
|
|
48
|
+
**Never Use:**
|
|
49
|
+
- MD5, SHA1, SHA256 without key stretching
|
|
50
|
+
- Plain hashing without salt
|
|
51
|
+
- Reversible encryption for passwords
|
|
52
|
+
|
|
53
|
+
### Vulnerable Patterns
|
|
54
|
+
|
|
55
|
+
```python
|
|
56
|
+
# VULNERABLE: MD5 hash
|
|
57
|
+
import hashlib
|
|
58
|
+
password_hash = hashlib.md5(password.encode()).hexdigest()
|
|
59
|
+
|
|
60
|
+
# VULNERABLE: SHA256 without salt/iterations
|
|
61
|
+
password_hash = hashlib.sha256(password.encode()).hexdigest()
|
|
62
|
+
|
|
63
|
+
# SAFE: bcrypt
|
|
64
|
+
import bcrypt
|
|
65
|
+
password_hash = bcrypt.hashpw(password.encode(), bcrypt.gensalt(rounds=12))
|
|
66
|
+
|
|
67
|
+
# SAFE: Argon2
|
|
68
|
+
from argon2 import PasswordHasher
|
|
69
|
+
ph = PasswordHasher()
|
|
70
|
+
password_hash = ph.hash(password)
|
|
71
|
+
```
|
|
72
|
+
|
|
73
|
+
---
|
|
74
|
+
|
|
75
|
+
## Error Messages
|
|
76
|
+
|
|
77
|
+
### Generic Response Principle
|
|
78
|
+
|
|
79
|
+
Return identical error messages regardless of the specific failure reason.
|
|
80
|
+
|
|
81
|
+
**Login Responses:**
|
|
82
|
+
```
|
|
83
|
+
# WRONG: Reveals valid usernames
|
|
84
|
+
"User not found"
|
|
85
|
+
"Invalid password"
|
|
86
|
+
"Account locked"
|
|
87
|
+
|
|
88
|
+
# CORRECT: Generic message
|
|
89
|
+
"Login failed; Invalid user ID or password."
|
|
90
|
+
```
|
|
91
|
+
|
|
92
|
+
**Password Recovery:**
|
|
93
|
+
```
|
|
94
|
+
# WRONG: Reveals valid emails
|
|
95
|
+
"Email not found"
|
|
96
|
+
"Password reset email sent"
|
|
97
|
+
|
|
98
|
+
# CORRECT: Generic message
|
|
99
|
+
"If that email address is in our database, we will send you an email to reset your password."
|
|
100
|
+
```
|
|
101
|
+
|
|
102
|
+
**Account Creation:**
|
|
103
|
+
```
|
|
104
|
+
# WRONG: Reveals existing accounts
|
|
105
|
+
"Email already registered"
|
|
106
|
+
|
|
107
|
+
# CORRECT: Generic message
|
|
108
|
+
"A link to activate your account has been emailed to the address provided."
|
|
109
|
+
```
|
|
110
|
+
|
|
111
|
+
---
|
|
112
|
+
|
|
113
|
+
## Brute Force Protection
|
|
114
|
+
|
|
115
|
+
### Account Lockout
|
|
116
|
+
|
|
117
|
+
```python
|
|
118
|
+
# Configuration
|
|
119
|
+
LOCKOUT_THRESHOLD = 5 # Failed attempts before lockout
|
|
120
|
+
OBSERVATION_WINDOW = 15 * 60 # 15 minutes
|
|
121
|
+
LOCKOUT_DURATION = 30 * 60 # 30 minutes
|
|
122
|
+
|
|
123
|
+
# Implementation
|
|
124
|
+
class LoginAttemptTracker:
|
|
125
|
+
def record_failed_attempt(self, account_id):
|
|
126
|
+
# Track by account, NOT by IP
|
|
127
|
+
# IP-based tracking allows bypassing via distributed attacks
|
|
128
|
+
pass
|
|
129
|
+
|
|
130
|
+
def is_locked(self, account_id):
|
|
131
|
+
# Check if account is locked
|
|
132
|
+
pass
|
|
133
|
+
|
|
134
|
+
def allow_password_reset_when_locked(self):
|
|
135
|
+
# Prevent lockout from becoming DoS
|
|
136
|
+
return True
|
|
137
|
+
```
|
|
138
|
+
|
|
139
|
+
### Exponential Backoff
|
|
140
|
+
|
|
141
|
+
```python
|
|
142
|
+
def get_lockout_duration(failed_attempts):
|
|
143
|
+
# Double duration with each lockout
|
|
144
|
+
base_duration = 60 # 1 minute
|
|
145
|
+
return base_duration * (2 ** (failed_attempts // LOCKOUT_THRESHOLD - 1))
|
|
146
|
+
```
|
|
147
|
+
|
|
148
|
+
### Rate Limiting
|
|
149
|
+
|
|
150
|
+
```python
|
|
151
|
+
# Per-IP rate limiting (defense in depth)
|
|
152
|
+
RATE_LIMIT = "10/minute"
|
|
153
|
+
|
|
154
|
+
# Per-account rate limiting
|
|
155
|
+
ACCOUNT_RATE_LIMIT = "5/minute"
|
|
156
|
+
```
|
|
157
|
+
|
|
158
|
+
---
|
|
159
|
+
|
|
160
|
+
## Multi-Factor Authentication
|
|
161
|
+
|
|
162
|
+
### MFA Effectiveness
|
|
163
|
+
|
|
164
|
+
Microsoft research indicates MFA blocks 99.9% of account compromises.
|
|
165
|
+
|
|
166
|
+
### MFA Implementation Checklist
|
|
167
|
+
|
|
168
|
+
- [ ] Require MFA for all users (not just optional)
|
|
169
|
+
- [ ] Support multiple MFA methods (TOTP, WebAuthn, SMS as fallback)
|
|
170
|
+
- [ ] Implement MFA bypass codes for recovery (store securely)
|
|
171
|
+
- [ ] Require re-authentication before disabling MFA
|
|
172
|
+
- [ ] Log all MFA events
|
|
173
|
+
|
|
174
|
+
### WebAuthn/FIDO2 (Preferred)
|
|
175
|
+
|
|
176
|
+
```javascript
|
|
177
|
+
// Registration
|
|
178
|
+
const publicKeyCredential = await navigator.credentials.create({
|
|
179
|
+
publicKey: {
|
|
180
|
+
challenge: serverChallenge,
|
|
181
|
+
rp: { name: "Example Corp", id: "example.com" },
|
|
182
|
+
user: { id: userId, name: username, displayName: displayName },
|
|
183
|
+
pubKeyCredParams: [{ type: "public-key", alg: -7 }], // ES256
|
|
184
|
+
authenticatorSelection: { userVerification: "preferred" }
|
|
185
|
+
}
|
|
186
|
+
});
|
|
187
|
+
```
|
|
188
|
+
|
|
189
|
+
**Benefits:**
|
|
190
|
+
- Phishing-resistant (bound to origin)
|
|
191
|
+
- No shared secrets to steal
|
|
192
|
+
- Hardware-backed security
|
|
193
|
+
|
|
194
|
+
---
|
|
195
|
+
|
|
196
|
+
## Session Security
|
|
197
|
+
|
|
198
|
+
### Session ID Requirements
|
|
199
|
+
|
|
200
|
+
- **Entropy**: Minimum 64 bits of randomness
|
|
201
|
+
- **Length**: At least 16 characters (hex) or 128 bits
|
|
202
|
+
- **Generation**: Cryptographically secure random generator only
|
|
203
|
+
|
|
204
|
+
```python
|
|
205
|
+
# VULNERABLE: Predictable session ID
|
|
206
|
+
session_id = str(user_id) + str(int(time.time()))
|
|
207
|
+
|
|
208
|
+
# SAFE: Cryptographically random
|
|
209
|
+
import secrets
|
|
210
|
+
session_id = secrets.token_hex(32) # 256 bits
|
|
211
|
+
```
|
|
212
|
+
|
|
213
|
+
### Cookie Security Attributes
|
|
214
|
+
|
|
215
|
+
```
|
|
216
|
+
Set-Cookie: session_id=abc123;
|
|
217
|
+
Secure; # HTTPS only
|
|
218
|
+
HttpOnly; # No JavaScript access
|
|
219
|
+
SameSite=Lax; # CSRF protection
|
|
220
|
+
Path=/; # Scope
|
|
221
|
+
Max-Age=3600; # Expiration
|
|
222
|
+
```
|
|
223
|
+
|
|
224
|
+
### Session Lifecycle
|
|
225
|
+
|
|
226
|
+
```python
|
|
227
|
+
# VULNERABLE: Not regenerating session on login (Session Fixation)
|
|
228
|
+
def login(username, password):
|
|
229
|
+
user = authenticate(username, password)
|
|
230
|
+
session['user_id'] = user.id # Same session ID - attacker can pre-set it!
|
|
231
|
+
|
|
232
|
+
# SAFE: Regenerate session ID after authentication
|
|
233
|
+
def login(user, password):
|
|
234
|
+
if authenticate(user, password):
|
|
235
|
+
# CRITICAL: Generate new session ID to prevent fixation
|
|
236
|
+
session.regenerate()
|
|
237
|
+
session['user_id'] = user.id
|
|
238
|
+
|
|
239
|
+
# Regenerate after privilege changes
|
|
240
|
+
def elevate_privileges():
|
|
241
|
+
session.regenerate()
|
|
242
|
+
session['is_admin'] = True
|
|
243
|
+
|
|
244
|
+
# Proper logout - invalidate both server and client
|
|
245
|
+
def logout():
|
|
246
|
+
session.invalidate() # Server-side invalidation
|
|
247
|
+
response.delete_cookie('session_id')
|
|
248
|
+
```
|
|
249
|
+
|
|
250
|
+
### Session Timeouts
|
|
251
|
+
|
|
252
|
+
| Type | Purpose | Typical Value |
|
|
253
|
+
|------|---------|---------------|
|
|
254
|
+
| **Idle Timeout** | Inactive session | 15-30 minutes |
|
|
255
|
+
| **Absolute Timeout** | Maximum lifetime | 4-8 hours |
|
|
256
|
+
|
|
257
|
+
### Concurrent Session Control
|
|
258
|
+
|
|
259
|
+
```python
|
|
260
|
+
# Option 1: Allow only one session per user
|
|
261
|
+
def login(user):
|
|
262
|
+
invalidate_all_sessions(user.id)
|
|
263
|
+
return create_session(user)
|
|
264
|
+
|
|
265
|
+
# Option 2: Limit concurrent sessions
|
|
266
|
+
MAX_SESSIONS = 3
|
|
267
|
+
def login(user):
|
|
268
|
+
sessions = get_sessions_by_user(user.id)
|
|
269
|
+
if len(sessions) >= MAX_SESSIONS:
|
|
270
|
+
oldest = min(sessions, key=lambda s: s['created_at'])
|
|
271
|
+
invalidate_session(oldest['id'])
|
|
272
|
+
return create_session(user)
|
|
273
|
+
```
|
|
274
|
+
|
|
275
|
+
---
|
|
276
|
+
|
|
277
|
+
## Re-authentication Requirements
|
|
278
|
+
|
|
279
|
+
Require fresh credentials before:
|
|
280
|
+
- Password changes
|
|
281
|
+
- Email address changes
|
|
282
|
+
- MFA configuration changes
|
|
283
|
+
- Sensitive financial transactions
|
|
284
|
+
- Account deletion
|
|
285
|
+
|
|
286
|
+
```python
|
|
287
|
+
def requires_recent_auth(max_age=300): # 5 minutes
|
|
288
|
+
"""Decorator requiring recent authentication."""
|
|
289
|
+
def decorator(f):
|
|
290
|
+
def wrapper(*args, **kwargs):
|
|
291
|
+
last_auth = session.get('last_auth_time')
|
|
292
|
+
if not last_auth or time.time() - last_auth > max_age:
|
|
293
|
+
raise ReauthenticationRequired()
|
|
294
|
+
return f(*args, **kwargs)
|
|
295
|
+
return wrapper
|
|
296
|
+
return decorator
|
|
297
|
+
|
|
298
|
+
@requires_recent_auth(max_age=300)
|
|
299
|
+
def change_password(old_password, new_password):
|
|
300
|
+
pass
|
|
301
|
+
```
|
|
302
|
+
|
|
303
|
+
---
|
|
304
|
+
|
|
305
|
+
## Email Address Changes
|
|
306
|
+
|
|
307
|
+
### With MFA Enabled
|
|
308
|
+
|
|
309
|
+
1. Verify current session authentication
|
|
310
|
+
2. Request MFA verification
|
|
311
|
+
3. Send notification to current email address
|
|
312
|
+
4. Send confirmation link to new email address
|
|
313
|
+
5. Require clicking link within time limit (e.g., 8 hours)
|
|
314
|
+
|
|
315
|
+
### Without MFA
|
|
316
|
+
|
|
317
|
+
1. Verify current session authentication
|
|
318
|
+
2. Require current password verification
|
|
319
|
+
3. Send notification to current email address
|
|
320
|
+
4. Send confirmation link to both addresses
|
|
321
|
+
5. Require confirmation from both within time limit
|
|
322
|
+
|
|
323
|
+
---
|
|
324
|
+
|
|
325
|
+
## Grep Patterns for Detection
|
|
326
|
+
|
|
327
|
+
```bash
|
|
328
|
+
# Weak hashing
|
|
329
|
+
grep -rn "md5\|sha1\|sha256" --include="*.py" --include="*.js" | grep -i password
|
|
330
|
+
grep -rn "hashlib\\.md5\|hashlib\\.sha" --include="*.py"
|
|
331
|
+
|
|
332
|
+
# Predictable session IDs
|
|
333
|
+
grep -rn "uuid1\|time\\(\\).*session\|user.*id.*session" --include="*.py"
|
|
334
|
+
|
|
335
|
+
# Missing cookie security
|
|
336
|
+
grep -rn "Set-Cookie" --include="*.py" --include="*.js" | grep -v -i "secure\|httponly"
|
|
337
|
+
|
|
338
|
+
# Error message leakage
|
|
339
|
+
grep -rn "not found\|invalid password\|does not exist" --include="*.py" --include="*.js"
|
|
340
|
+
|
|
341
|
+
# Session handling
|
|
342
|
+
grep -rn "session\\.regenerate\|regenerate_id\|new_session" --include="*.py" --include="*.php"
|
|
343
|
+
```
|
|
344
|
+
|
|
345
|
+
---
|
|
346
|
+
|
|
347
|
+
## References
|
|
348
|
+
|
|
349
|
+
- [OWASP Authentication Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Authentication_Cheat_Sheet.html)
|
|
350
|
+
- [OWASP Password Storage Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html)
|
|
351
|
+
- [OWASP Session Management Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html)
|
|
352
|
+
- [CWE-287: Improper Authentication](https://cwe.mitre.org/data/definitions/287.html)
|
|
353
|
+
- [CWE-384: Session Fixation](https://cwe.mitre.org/data/definitions/384.html)
|
|
@@ -0,0 +1,372 @@
|
|
|
1
|
+
# Authorization Security Reference
|
|
2
|
+
|
|
3
|
+
## Overview
|
|
4
|
+
|
|
5
|
+
Authorization verifies that a requested action or service is approved for a specific entity—distinct from authentication, which verifies identity. A user who has been authenticated is often not authorized to access every resource and perform every action.
|
|
6
|
+
|
|
7
|
+
## Core Principles
|
|
8
|
+
|
|
9
|
+
### 1. Deny by Default
|
|
10
|
+
|
|
11
|
+
Every permission must be explicitly granted. The default position is denial.
|
|
12
|
+
|
|
13
|
+
```python
|
|
14
|
+
# VULNERABLE: Implicit allow
|
|
15
|
+
def get_document(request, doc_id):
|
|
16
|
+
return Document.objects.get(id=doc_id)
|
|
17
|
+
|
|
18
|
+
# SAFE: Explicit authorization
|
|
19
|
+
def get_document(request, doc_id):
|
|
20
|
+
doc = Document.objects.get(id=doc_id)
|
|
21
|
+
if not request.user.has_permission('read', doc):
|
|
22
|
+
raise PermissionDenied()
|
|
23
|
+
return doc
|
|
24
|
+
```
|
|
25
|
+
|
|
26
|
+
### 2. Enforce Least Privilege
|
|
27
|
+
|
|
28
|
+
Assign users only the minimum necessary permissions for their role.
|
|
29
|
+
|
|
30
|
+
```python
|
|
31
|
+
# Define minimal permission sets
|
|
32
|
+
ROLE_PERMISSIONS = {
|
|
33
|
+
'viewer': ['read'],
|
|
34
|
+
'editor': ['read', 'write'],
|
|
35
|
+
'admin': ['read', 'write', 'delete', 'admin']
|
|
36
|
+
}
|
|
37
|
+
```
|
|
38
|
+
|
|
39
|
+
### 3. Validate Permissions on Every Request
|
|
40
|
+
|
|
41
|
+
Never rely on UI hiding or client-side checks alone.
|
|
42
|
+
|
|
43
|
+
```python
|
|
44
|
+
# VULNERABLE: Authorization only on some endpoints
|
|
45
|
+
@app.route('/api/admin/users', methods=['GET'])
|
|
46
|
+
@require_admin # Good
|
|
47
|
+
def list_users():
|
|
48
|
+
pass
|
|
49
|
+
|
|
50
|
+
@app.route('/api/admin/users/<id>', methods=['DELETE'])
|
|
51
|
+
def delete_user(id): # Missing authorization check!
|
|
52
|
+
User.delete(id)
|
|
53
|
+
|
|
54
|
+
# SAFE: Consistent authorization
|
|
55
|
+
@app.route('/api/admin/users/<id>', methods=['DELETE'])
|
|
56
|
+
@require_admin # Always check
|
|
57
|
+
def delete_user(id):
|
|
58
|
+
User.delete(id)
|
|
59
|
+
```
|
|
60
|
+
|
|
61
|
+
---
|
|
62
|
+
|
|
63
|
+
## Insecure Direct Object References (IDOR)
|
|
64
|
+
|
|
65
|
+
### The Vulnerability
|
|
66
|
+
|
|
67
|
+
IDOR occurs when attackers access or modify objects by manipulating identifiers.
|
|
68
|
+
|
|
69
|
+
```python
|
|
70
|
+
# VULNERABLE: No ownership validation
|
|
71
|
+
@app.route('/api/orders/<order_id>')
|
|
72
|
+
def get_order(order_id):
|
|
73
|
+
return Order.query.get(order_id).to_dict()
|
|
74
|
+
|
|
75
|
+
# Attack: User A accesses /api/orders/123 (User B's order)
|
|
76
|
+
```
|
|
77
|
+
|
|
78
|
+
### Prevention
|
|
79
|
+
|
|
80
|
+
**1. Validate Object Ownership**
|
|
81
|
+
|
|
82
|
+
```python
|
|
83
|
+
# SAFE: Scope queries to current user
|
|
84
|
+
@app.route('/api/orders/<order_id>')
|
|
85
|
+
def get_order(order_id):
|
|
86
|
+
order = Order.query.filter_by(
|
|
87
|
+
id=order_id,
|
|
88
|
+
user_id=current_user.id # Ownership check
|
|
89
|
+
).first_or_404()
|
|
90
|
+
return order.to_dict()
|
|
91
|
+
```
|
|
92
|
+
|
|
93
|
+
**2. Use Indirect References**
|
|
94
|
+
|
|
95
|
+
```python
|
|
96
|
+
# Map user-specific indices to actual IDs
|
|
97
|
+
def get_user_order_map(user_id):
|
|
98
|
+
orders = Order.query.filter_by(user_id=user_id).all()
|
|
99
|
+
return {i: order.id for i, order in enumerate(orders)}
|
|
100
|
+
|
|
101
|
+
@app.route('/api/orders/<int:index>')
|
|
102
|
+
def get_order(index):
|
|
103
|
+
order_map = get_user_order_map(current_user.id)
|
|
104
|
+
real_id = order_map.get(index)
|
|
105
|
+
if not real_id:
|
|
106
|
+
raise NotFound()
|
|
107
|
+
return Order.query.get(real_id).to_dict()
|
|
108
|
+
```
|
|
109
|
+
|
|
110
|
+
**3. Perform Object-Level Checks**
|
|
111
|
+
|
|
112
|
+
```python
|
|
113
|
+
# Check permission on the specific object, not just object type
|
|
114
|
+
def check_permission(user, action, resource):
|
|
115
|
+
# Bad: Type-level check only
|
|
116
|
+
# if user.can('read', 'Order'): return True
|
|
117
|
+
|
|
118
|
+
# Good: Object-level check
|
|
119
|
+
if resource.owner_id == user.id:
|
|
120
|
+
return True
|
|
121
|
+
if resource.organization_id in user.organization_ids:
|
|
122
|
+
return user.has_org_permission(action, resource.organization_id)
|
|
123
|
+
return False
|
|
124
|
+
```
|
|
125
|
+
|
|
126
|
+
---
|
|
127
|
+
|
|
128
|
+
## Access Control Models
|
|
129
|
+
|
|
130
|
+
### Role-Based Access Control (RBAC)
|
|
131
|
+
|
|
132
|
+
Simple but limited. Good for straightforward permission structures.
|
|
133
|
+
|
|
134
|
+
```python
|
|
135
|
+
ROLES = {
|
|
136
|
+
'admin': {'create', 'read', 'update', 'delete'},
|
|
137
|
+
'editor': {'create', 'read', 'update'},
|
|
138
|
+
'viewer': {'read'}
|
|
139
|
+
}
|
|
140
|
+
|
|
141
|
+
def has_permission(user, action):
|
|
142
|
+
return action in ROLES.get(user.role, set())
|
|
143
|
+
```
|
|
144
|
+
|
|
145
|
+
### Attribute-Based Access Control (ABAC)
|
|
146
|
+
|
|
147
|
+
More flexible. Supports complex policies with multiple attributes.
|
|
148
|
+
|
|
149
|
+
```python
|
|
150
|
+
def evaluate_policy(subject, action, resource, environment):
|
|
151
|
+
"""
|
|
152
|
+
Subject: user attributes (role, department, clearance)
|
|
153
|
+
Action: what they're trying to do
|
|
154
|
+
Resource: object attributes (owner, classification, type)
|
|
155
|
+
Environment: context (time, location, device)
|
|
156
|
+
"""
|
|
157
|
+
# Example: Only managers can approve during business hours
|
|
158
|
+
if action == 'approve':
|
|
159
|
+
return (
|
|
160
|
+
subject.role == 'manager' and
|
|
161
|
+
resource.department == subject.department and
|
|
162
|
+
environment.is_business_hours
|
|
163
|
+
)
|
|
164
|
+
return False
|
|
165
|
+
```
|
|
166
|
+
|
|
167
|
+
### Relationship-Based Access Control (ReBAC)
|
|
168
|
+
|
|
169
|
+
Access based on relationships between entities.
|
|
170
|
+
|
|
171
|
+
```python
|
|
172
|
+
# User can view document if:
|
|
173
|
+
# - They own it
|
|
174
|
+
# - They're in a group that has access
|
|
175
|
+
# - They're in the same organization
|
|
176
|
+
def can_view(user, document):
|
|
177
|
+
if document.owner_id == user.id:
|
|
178
|
+
return True
|
|
179
|
+
if user.groups.intersection(document.shared_with_groups):
|
|
180
|
+
return True
|
|
181
|
+
if document.org_id == user.org_id and document.org_visible:
|
|
182
|
+
return True
|
|
183
|
+
return False
|
|
184
|
+
```
|
|
185
|
+
|
|
186
|
+
---
|
|
187
|
+
|
|
188
|
+
## Common Vulnerabilities
|
|
189
|
+
|
|
190
|
+
### Horizontal Privilege Escalation
|
|
191
|
+
|
|
192
|
+
Accessing resources belonging to other users at the same privilege level.
|
|
193
|
+
|
|
194
|
+
```python
|
|
195
|
+
# VULNERABLE: User A can access User B's profile
|
|
196
|
+
@app.route('/api/profile/<user_id>')
|
|
197
|
+
def get_profile(user_id):
|
|
198
|
+
return User.query.get(user_id).profile
|
|
199
|
+
|
|
200
|
+
# SAFE: Only access own profile
|
|
201
|
+
@app.route('/api/profile')
|
|
202
|
+
def get_profile():
|
|
203
|
+
return current_user.profile
|
|
204
|
+
```
|
|
205
|
+
|
|
206
|
+
### Vertical Privilege Escalation
|
|
207
|
+
|
|
208
|
+
Accessing higher-privilege functionality.
|
|
209
|
+
|
|
210
|
+
```python
|
|
211
|
+
# VULNERABLE: Hidden admin endpoint
|
|
212
|
+
@app.route('/api/admin/delete-all')
|
|
213
|
+
def delete_all():
|
|
214
|
+
# No authorization check
|
|
215
|
+
Database.delete_all()
|
|
216
|
+
|
|
217
|
+
# SAFE: Explicit admin check
|
|
218
|
+
@app.route('/api/admin/delete-all')
|
|
219
|
+
@require_role('super_admin')
|
|
220
|
+
def delete_all():
|
|
221
|
+
Database.delete_all()
|
|
222
|
+
```
|
|
223
|
+
|
|
224
|
+
### Path Traversal in Authorization
|
|
225
|
+
|
|
226
|
+
```python
|
|
227
|
+
# VULNERABLE: Path-based authorization bypass
|
|
228
|
+
@app.route('/files/<path:filepath>')
|
|
229
|
+
def get_file(filepath):
|
|
230
|
+
# Attacker: /files/../../../etc/passwd
|
|
231
|
+
return send_file(filepath)
|
|
232
|
+
|
|
233
|
+
# SAFE: Validate and sanitize path
|
|
234
|
+
@app.route('/files/<path:filepath>')
|
|
235
|
+
def get_file(filepath):
|
|
236
|
+
base_dir = '/app/user_files'
|
|
237
|
+
full_path = os.path.realpath(os.path.join(base_dir, filepath))
|
|
238
|
+
if not full_path.startswith(base_dir):
|
|
239
|
+
raise PermissionDenied()
|
|
240
|
+
return send_file(full_path)
|
|
241
|
+
```
|
|
242
|
+
|
|
243
|
+
### Mass Assignment
|
|
244
|
+
|
|
245
|
+
```python
|
|
246
|
+
# VULNERABLE: User can set admin flag
|
|
247
|
+
@app.route('/api/users/<id>', methods=['PATCH'])
|
|
248
|
+
def update_user(id):
|
|
249
|
+
user = User.query.get(id)
|
|
250
|
+
user.update(**request.json) # Includes is_admin!
|
|
251
|
+
|
|
252
|
+
# SAFE: Allowlist fields
|
|
253
|
+
@app.route('/api/users/<id>', methods=['PATCH'])
|
|
254
|
+
def update_user(id):
|
|
255
|
+
ALLOWED_FIELDS = {'name', 'email', 'bio'}
|
|
256
|
+
user = User.query.get(id)
|
|
257
|
+
data = {k: v for k, v in request.json.items() if k in ALLOWED_FIELDS}
|
|
258
|
+
user.update(**data)
|
|
259
|
+
```
|
|
260
|
+
|
|
261
|
+
---
|
|
262
|
+
|
|
263
|
+
## Implementation Patterns
|
|
264
|
+
|
|
265
|
+
### Middleware/Filter Pattern
|
|
266
|
+
|
|
267
|
+
```python
|
|
268
|
+
# Apply authorization consistently via middleware
|
|
269
|
+
class AuthorizationMiddleware:
|
|
270
|
+
def process_request(self, request):
|
|
271
|
+
if not self.is_authorized(request):
|
|
272
|
+
raise PermissionDenied()
|
|
273
|
+
|
|
274
|
+
def is_authorized(self, request):
|
|
275
|
+
# Extract resource and action from request
|
|
276
|
+
resource = self.get_resource(request)
|
|
277
|
+
action = self.get_action(request)
|
|
278
|
+
return request.user.has_permission(action, resource)
|
|
279
|
+
```
|
|
280
|
+
|
|
281
|
+
### Policy Objects
|
|
282
|
+
|
|
283
|
+
```python
|
|
284
|
+
class DocumentPolicy:
|
|
285
|
+
def __init__(self, user, document):
|
|
286
|
+
self.user = user
|
|
287
|
+
self.document = document
|
|
288
|
+
|
|
289
|
+
def can_view(self):
|
|
290
|
+
return (
|
|
291
|
+
self.document.is_public or
|
|
292
|
+
self.document.owner_id == self.user.id or
|
|
293
|
+
self.user.is_admin
|
|
294
|
+
)
|
|
295
|
+
|
|
296
|
+
def can_edit(self):
|
|
297
|
+
return self.document.owner_id == self.user.id
|
|
298
|
+
|
|
299
|
+
def can_delete(self):
|
|
300
|
+
return self.document.owner_id == self.user.id or self.user.is_admin
|
|
301
|
+
|
|
302
|
+
# Usage
|
|
303
|
+
policy = DocumentPolicy(current_user, document)
|
|
304
|
+
if not policy.can_view():
|
|
305
|
+
raise PermissionDenied()
|
|
306
|
+
```
|
|
307
|
+
|
|
308
|
+
---
|
|
309
|
+
|
|
310
|
+
## Grep Patterns for Detection
|
|
311
|
+
|
|
312
|
+
```bash
|
|
313
|
+
# Missing authorization checks
|
|
314
|
+
grep -rn "def get_\|def post_\|def put_\|def delete_" --include="*.py" | grep -v "@require\|@login\|permission"
|
|
315
|
+
|
|
316
|
+
# Direct object access without ownership check
|
|
317
|
+
grep -rn "\.get(.*id)\|\.filter(id=" --include="*.py" | grep -v "user_id\|owner"
|
|
318
|
+
|
|
319
|
+
# Mass assignment
|
|
320
|
+
grep -rn "\*\*request\.\|update(\*\*\|create(\*\*" --include="*.py"
|
|
321
|
+
|
|
322
|
+
# Path traversal risk
|
|
323
|
+
grep -rn "os\.path\.join.*request\|open(.*request" --include="*.py"
|
|
324
|
+
|
|
325
|
+
# Admin endpoints
|
|
326
|
+
grep -rn "admin\|superuser" --include="*.py" | grep "route\|endpoint"
|
|
327
|
+
```
|
|
328
|
+
|
|
329
|
+
---
|
|
330
|
+
|
|
331
|
+
## Authorization Testing
|
|
332
|
+
|
|
333
|
+
### Test Cases
|
|
334
|
+
|
|
335
|
+
1. **Horizontal access**: Can User A access User B's resources?
|
|
336
|
+
2. **Vertical access**: Can regular users access admin endpoints?
|
|
337
|
+
3. **Missing checks**: Are all endpoints protected?
|
|
338
|
+
4. **Parameter tampering**: Can IDs be manipulated?
|
|
339
|
+
5. **Path traversal**: Can file paths escape allowed directories?
|
|
340
|
+
6. **Mass assignment**: Can protected fields be modified?
|
|
341
|
+
|
|
342
|
+
### Test Automation
|
|
343
|
+
|
|
344
|
+
```python
|
|
345
|
+
def test_horizontal_access():
|
|
346
|
+
user_a = create_user()
|
|
347
|
+
user_b = create_user()
|
|
348
|
+
resource = create_resource(owner=user_a)
|
|
349
|
+
|
|
350
|
+
# User B should not access User A's resource
|
|
351
|
+
client.login(user_b)
|
|
352
|
+
response = client.get(f'/api/resources/{resource.id}')
|
|
353
|
+
assert response.status_code == 403
|
|
354
|
+
|
|
355
|
+
def test_idor_enumeration():
|
|
356
|
+
# Try sequential IDs
|
|
357
|
+
for i in range(1, 100):
|
|
358
|
+
response = client.get(f'/api/resources/{i}')
|
|
359
|
+
if response.status_code == 200:
|
|
360
|
+
# Should be denied or return 404, not 200
|
|
361
|
+
assert False, f"IDOR vulnerability: /api/resources/{i}"
|
|
362
|
+
```
|
|
363
|
+
|
|
364
|
+
---
|
|
365
|
+
|
|
366
|
+
## References
|
|
367
|
+
|
|
368
|
+
- [OWASP Authorization Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Authorization_Cheat_Sheet.html)
|
|
369
|
+
- [OWASP IDOR Prevention](https://cheatsheetseries.owasp.org/cheatsheets/Insecure_Direct_Object_Reference_Prevention_Cheat_Sheet.html)
|
|
370
|
+
- [OWASP Access Control Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Access_Control_Cheat_Sheet.html)
|
|
371
|
+
- [CWE-639: Authorization Bypass Through User-Controlled Key](https://cwe.mitre.org/data/definitions/639.html)
|
|
372
|
+
- [CWE-862: Missing Authorization](https://cwe.mitre.org/data/definitions/862.html)
|