authdrift 0.1.0__tar.gz

authdrift-0.1.0/.gitignore

@@ -0,0 +1,13 @@
+__pycache__/
+*.py[cod]
+*.egg-info/
+build/
+dist/
+.venv/
+venv/
+.pytest_cache/
+.semgrep/
+.semgrep_logs/
+.DS_Store
+*.swp
+fp-validation/

authdrift-0.1.0/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2026 Srinathprasanna Neelagiri Chettiyar Shanmugam
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

authdrift-0.1.0/PKG-INFO

@@ -0,0 +1,88 @@
+Metadata-Version: 2.4
+Name: authdrift
+Version: 0.1.0
+Summary: Find OAuth handlers that will break when users rename their identifier.
+Project-URL: Homepage, https://github.com/Neelagiri65/authdrift
+Project-URL: Issues, https://github.com/Neelagiri65/authdrift/issues
+Author: Neelagiri
+License: MIT
+License-File: LICENSE
+Keywords: gmail,identity,oauth,oidc,phantom-user,sast,security,semgrep
+Classifier: Development Status :: 3 - Alpha
+Classifier: Intended Audience :: Developers
+Classifier: Intended Audience :: System Administrators
+Classifier: License :: OSI Approved :: MIT License
+Classifier: Programming Language :: Python :: 3
+Classifier: Programming Language :: Python :: 3 :: Only
+Classifier: Topic :: Security
+Classifier: Topic :: Software Development :: Quality Assurance
+Requires-Python: >=3.9
+Requires-Dist: semgrep>=1.50.0
+Description-Content-Type: text/markdown
+
+# authdrift
+
+> Find OAuth handlers that will break when users rename their Gmail.
+
+On 31 March 2026, Google began letting users rename their primary Gmail address. Every OAuth integration that uses email as the user lookup key will silently create a duplicate account when a user renames. Most do.
+
+`authdrift` is a static analysis tool that scans your codebase for the exact patterns that explode on a Gmail rename — and on the ~0.04% baseline `sub`-claim drift Truffle Security documented in January 2025.
+
+## Install
+
+```bash
+pip install authdrift
+```
+
+Requires `semgrep` (installed automatically).
+
+## Use
+
+```bash
+authdrift scan ./
+```
+
+Example output:
+
+```
+src/auth/google.ts
+   12:18  WARNING  oauth-passport-email-as-primary-key
+            This OAuth handler is using `profile.emails[0].value` as a user lookup key.
+            When a user renames their Gmail address, this lookup will fail and your
+            application will silently create a duplicate user record.
+            Fix: use `profile.id` (the OIDC `sub` claim) as the immutable primary key.
+```
+
+JSON output for CI:
+
+```bash
+authdrift scan ./ --json
+```
+
+## Why this matters
+
+Atlassian's own KB confirms that SCIM email changes create duplicate Atlassian Cloud accounts. Google's developer documentation acknowledges that revoke + reauth produces duplicate accounts. The cascade is documented; the fix is not deployed.
+
+`authdrift` flags the exact code patterns that produce phantom users after a rename event. Three rules, narrowly scoped, designed to slot into CI alongside `semgrep`, `trufflehog`, and `gitleaks` without producing noise.
+
+## What it catches today
+
+- **Passport.js** handlers using `profile.emails[0].value` as a user lookup key (`passport-google-oauth20`, `passport-google-oauth2`)
+- **NextAuth** `signIn` callbacks resolving users by `user.email` against Prisma
+- **Python** (Django / SQLAlchemy) handlers querying by `userinfo['email']` from Google's userinfo response
+
+## What it deliberately does NOT do
+
+- Flag every reference to `email` in an OAuth file. The rules require the email value to be used as a lookup key, not just read or logged.
+- Flag handlers that key on `sub` / `profile.id` and use email only as a contact attribute.
+- Auto-fix anything. Read-only by design.
+
+## Roadmap
+
+- More OAuth library coverage (lucia-auth, authlib, omniauth, Clerk, Supabase Auth, Firebase Auth)
+- A `--fix` mode that suggests the `sub`-keyed equivalent
+- A hosted scan for organisations that can't run a CLI
+
+## License
+
+MIT.

authdrift-0.1.0/README.md

@@ -0,0 +1,66 @@
+# authdrift
+
+> Find OAuth handlers that will break when users rename their Gmail.
+
+On 31 March 2026, Google began letting users rename their primary Gmail address. Every OAuth integration that uses email as the user lookup key will silently create a duplicate account when a user renames. Most do.
+
+`authdrift` is a static analysis tool that scans your codebase for the exact patterns that explode on a Gmail rename — and on the ~0.04% baseline `sub`-claim drift Truffle Security documented in January 2025.
+
+## Install
+
+```bash
+pip install authdrift
+```
+
+Requires `semgrep` (installed automatically).
+
+## Use
+
+```bash
+authdrift scan ./
+```
+
+Example output:
+
+```
+src/auth/google.ts
+   12:18  WARNING  oauth-passport-email-as-primary-key
+            This OAuth handler is using `profile.emails[0].value` as a user lookup key.
+            When a user renames their Gmail address, this lookup will fail and your
+            application will silently create a duplicate user record.
+            Fix: use `profile.id` (the OIDC `sub` claim) as the immutable primary key.
+```
+
+JSON output for CI:
+
+```bash
+authdrift scan ./ --json
+```
+
+## Why this matters
+
+Atlassian's own KB confirms that SCIM email changes create duplicate Atlassian Cloud accounts. Google's developer documentation acknowledges that revoke + reauth produces duplicate accounts. The cascade is documented; the fix is not deployed.
+
+`authdrift` flags the exact code patterns that produce phantom users after a rename event. Three rules, narrowly scoped, designed to slot into CI alongside `semgrep`, `trufflehog`, and `gitleaks` without producing noise.
+
+## What it catches today
+
+- **Passport.js** handlers using `profile.emails[0].value` as a user lookup key (`passport-google-oauth20`, `passport-google-oauth2`)
+- **NextAuth** `signIn` callbacks resolving users by `user.email` against Prisma
+- **Python** (Django / SQLAlchemy) handlers querying by `userinfo['email']` from Google's userinfo response
+
+## What it deliberately does NOT do
+
+- Flag every reference to `email` in an OAuth file. The rules require the email value to be used as a lookup key, not just read or logged.
+- Flag handlers that key on `sub` / `profile.id` and use email only as a contact attribute.
+- Auto-fix anything. Read-only by design.
+
+## Roadmap
+
+- More OAuth library coverage (lucia-auth, authlib, omniauth, Clerk, Supabase Auth, Firebase Auth)
+- A `--fix` mode that suggests the `sub`-keyed equivalent
+- A hosted scan for organisations that can't run a CLI
+
+## License
+
+MIT.

authdrift-0.1.0/pyproject.toml

@@ -0,0 +1,53 @@
+[build-system]
+requires = ["hatchling"]
+build-backend = "hatchling.build"
+
+[project]
+name = "authdrift"
+version = "0.1.0"
+description = "Find OAuth handlers that will break when users rename their identifier."
+readme = "README.md"
+requires-python = ">=3.9"
+license = { text = "MIT" }
+authors = [{ name = "Neelagiri" }]
+keywords = [
+  "oauth",
+  "oidc",
+  "security",
+  "sast",
+  "semgrep",
+  "identity",
+  "gmail",
+  "phantom-user",
+]
+classifiers = [
+  "Development Status :: 3 - Alpha",
+  "Intended Audience :: Developers",
+  "Intended Audience :: System Administrators",
+  "Topic :: Security",
+  "Topic :: Software Development :: Quality Assurance",
+  "License :: OSI Approved :: MIT License",
+  "Programming Language :: Python :: 3",
+  "Programming Language :: Python :: 3 :: Only",
+]
+dependencies = [
+  "semgrep>=1.50.0",
+]
+
+[project.scripts]
+authdrift = "authdrift.cli:main"
+
+[project.urls]
+Homepage = "https://github.com/Neelagiri65/authdrift"
+Issues = "https://github.com/Neelagiri65/authdrift/issues"
+
+[tool.hatch.build.targets.wheel]
+packages = ["src/authdrift"]
+
+[tool.hatch.build.targets.sdist]
+include = [
+  "src/authdrift",
+  "README.md",
+  "LICENSE",
+  "tests",
+]

authdrift-0.1.0/src/authdrift/__init__.py

@@ -0,0 +1,3 @@
+"""authdrift — find OAuth handlers that break on identifier rename."""
+
+__version__ = "0.1.0"

authdrift-0.1.0/src/authdrift/cli.py

@@ -0,0 +1,89 @@
+"""authdrift CLI — wraps semgrep with the bundled authdrift ruleset."""
+
+from __future__ import annotations
+
+import argparse
+import os
+import shutil
+import subprocess
+import sys
+from importlib.resources import as_file, files
+
+from . import __version__
+
+
+def _rules_path() -> str:
+    """Return the on-disk path to the bundled rules directory."""
+    rules = files("authdrift").joinpath("rules")
+    with as_file(rules) as p:
+        return str(p)
+
+
+def _find_semgrep() -> str | None:
+    """Locate the semgrep executable.
+
+    Prefer the binary adjacent to the current Python interpreter so that
+    a venv-installed authdrift uses its venv-installed semgrep — even when
+    that venv is not active on PATH.
+    """
+    bin_dir = os.path.dirname(sys.executable)
+    candidate = os.path.join(bin_dir, "semgrep")
+    if os.path.isfile(candidate) and os.access(candidate, os.X_OK):
+        return candidate
+    return shutil.which("semgrep")
+
+
+def _scan(path: str, json_output: bool) -> int:
+    semgrep_bin = _find_semgrep()
+    if semgrep_bin is None:
+        sys.stderr.write(
+            "authdrift: semgrep is required but was not found.\n"
+            "Install it with: pip install semgrep\n"
+        )
+        return 2
+
+    cmd = [semgrep_bin, "scan", "--config", _rules_path(), "--error", path]
+    if json_output:
+        cmd.append("--json")
+    return subprocess.call(cmd)
+
+
+def main(argv: list[str] | None = None) -> int:
+    parser = argparse.ArgumentParser(
+        prog="authdrift",
+        description=(
+            "Find OAuth handlers that will break when users rename their "
+            "identifier (e.g. a Gmail rename)."
+        ),
+    )
+    parser.add_argument(
+        "--version",
+        action="version",
+        version=f"authdrift {__version__}",
+    )
+    sub = parser.add_subparsers(dest="command", required=True)
+
+    scan = sub.add_parser("scan", help="Scan a directory for authdrift patterns.")
+    scan.add_argument(
+        "path",
+        nargs="?",
+        default=".",
+        help="Path to scan (default: current directory).",
+    )
+    scan.add_argument(
+        "--json",
+        action="store_true",
+        help="Emit semgrep JSON output instead of human-readable.",
+    )
+
+    args = parser.parse_args(argv)
+
+    if args.command == "scan":
+        return _scan(args.path, args.json)
+
+    parser.print_help()
+    return 1
+
+
+if __name__ == "__main__":
+    sys.exit(main())

authdrift-0.1.0/src/authdrift/rules/oauth-email-key.yaml

@@ -0,0 +1,73 @@
+rules:
+  - id: oauth-passport-email-as-primary-key
+    message: |
+      This OAuth handler is using `profile.emails[0].value` as a user lookup key.
+
+      When a user renames their Gmail address (Google rolled out Gmail rename in
+      March 2026), the email returned by Google changes and your application will
+      silently create a duplicate user record — fragmenting their identity, audit
+      history, and ACLs. The same drift occurs in ~0.04% of normal Sign-in-with-Google
+      logins (Truffle Security, January 2025), independent of the rename feature.
+
+      Fix: use `profile.id` (the OIDC `sub` claim) as the immutable primary key.
+      Treat `profile.emails[0].value` as a mutable contact attribute, not an
+      identifier.
+
+      See: https://github.com/Neelagiri65/authdrift#why-this-matters
+    severity: WARNING
+    languages:
+      - javascript
+      - typescript
+    patterns:
+      - pattern-either:
+          - pattern: |
+              $FN({..., email: $P.emails[0].value, ...})
+          - pattern: |
+              $FN({..., where: {email: $P.emails[0].value}})
+          - pattern: |
+              $FN({..., where: {email: $P.emails[0].value, ...}})
+
+  - id: nextauth-signin-callback-email-as-primary-key
+    message: |
+      This NextAuth `signIn` flow is resolving users by `email`. When a Google user
+      renames their Gmail address (March 2026 rollout), the email returned by the
+      provider changes and a duplicate user record will be created on next sign-in.
+
+      Fix: key the lookup on `account.providerAccountId` (the OIDC `sub` claim) and
+      treat email as a mutable contact attribute.
+
+      See: https://github.com/Neelagiri65/authdrift#why-this-matters
+    severity: WARNING
+    languages:
+      - javascript
+      - typescript
+    patterns:
+      - pattern-either:
+          - pattern: |
+              prisma.user.findUnique({where: {email: $U.email}})
+          - pattern: |
+              prisma.user.findFirst({where: {email: $U.email}})
+          - pattern: |
+              db.user.findUnique({where: {email: $U.email}})
+
+  - id: python-google-oauth-userinfo-email-as-primary-key
+    message: |
+      This handler queries a user by the `email` field returned from Google's OAuth
+      userinfo response. When the user renames their Gmail address (March 2026
+      rollout), the email field changes and a duplicate account will be created.
+
+      Fix: store and look up by `userinfo['sub']` (the immutable subject ID).
+      Treat email as a mutable contact attribute.
+
+      See: https://github.com/Neelagiri65/authdrift#why-this-matters
+    severity: WARNING
+    languages:
+      - python
+    patterns:
+      - pattern-either:
+          - pattern: |
+              $MODEL.objects.get(email=$USERINFO['email'])
+          - pattern: |
+              $MODEL.objects.filter(email=$USERINFO['email']).first()
+          - pattern: |
+              $MODEL.query.filter_by(email=$USERINFO['email']).first()

authdrift-0.1.0/tests/fixtures/nextauth-vulnerable.ts

@@ -0,0 +1,24 @@
+// Should trigger nextauth-signin-callback-email-as-primary-key
+import NextAuth from 'next-auth';
+import GoogleProvider from 'next-auth/providers/google';
+import { prisma } from '@/lib/prisma';
+
+export default NextAuth({
+  providers: [
+    GoogleProvider({
+      clientId: process.env.GOOGLE_CLIENT_ID!,
+      clientSecret: process.env.GOOGLE_CLIENT_SECRET!,
+    }),
+  ],
+  callbacks: {
+    async signIn({ user, account }) {
+      const existing = await prisma.user.findUnique({ where: { email: user.email } });
+      if (!existing) {
+        await prisma.user.create({
+          data: { email: user.email, name: user.name },
+        });
+      }
+      return true;
+    },
+  },
+});

authdrift-0.1.0/tests/fixtures/passport-safe.js

@@ -0,0 +1,20 @@
+// Should NOT trigger — keys on profile.id (the OIDC sub claim)
+const passport = require('passport');
+const GoogleStrategy = require('passport-google-oauth20').Strategy;
+
+passport.use(new GoogleStrategy({
+  clientID: process.env.GOOGLE_CLIENT_ID,
+  clientSecret: process.env.GOOGLE_CLIENT_SECRET,
+  callbackURL: '/auth/google/callback',
+}, async (accessToken, refreshToken, profile, done) => {
+  // Email is recorded as a contact attribute, but the lookup key is the immutable sub.
+  const user = await db.findUser({ googleId: profile.id });
+  if (!user) {
+    return db.createUser({
+      googleId: profile.id,
+      email: profile.emails[0].value,
+      name: profile.displayName,
+    }, done);
+  }
+  return done(null, user);
+}));

authdrift-0.1.0/tests/fixtures/passport-vulnerable.js

@@ -0,0 +1,15 @@
+// Should trigger oauth-passport-email-as-primary-key
+const passport = require('passport');
+const GoogleStrategy = require('passport-google-oauth20').Strategy;
+
+passport.use(new GoogleStrategy({
+  clientID: process.env.GOOGLE_CLIENT_ID,
+  clientSecret: process.env.GOOGLE_CLIENT_SECRET,
+  callbackURL: '/auth/google/callback',
+}, async (accessToken, refreshToken, profile, done) => {
+  const user = await db.findUser({ email: profile.emails[0].value });
+  if (!user) {
+    return db.createUser({ email: profile.emails[0].value, name: profile.displayName }, done);
+  }
+  return done(null, user);
+}));

authdrift-0.1.0/tests/fixtures/python-vulnerable.py

@@ -0,0 +1,25 @@
+# Should trigger python-google-oauth-userinfo-email-as-primary-key
+import requests
+from django.contrib.auth.models import User
+
+
+def google_oauth_callback(request):
+    code = request.GET.get("code")
+    token_resp = requests.post(
+        "https://oauth2.googleapis.com/token",
+        data={
+            "code": code,
+            "client_id": "...",
+            "client_secret": "...",
+            "redirect_uri": "...",
+            "grant_type": "authorization_code",
+        },
+    )
+    access_token = token_resp.json()["access_token"]
+    userinfo = requests.get(
+        "https://www.googleapis.com/oauth2/v3/userinfo",
+        headers={"Authorization": f"Bearer {access_token}"},
+    ).json()
+
+    user = User.objects.get(email=userinfo["email"])
+    return user