Perform a defensive review of authentication and authorization flows in an authorized codebase. Use for login, session, MFA, OAuth, password reset, cookie security, JWT validation, impersonation, privilege checks, and object-level access control.
Installation
Install with Codex or Claude Copy this prompt, paste it into Codex, Claude, or another assistant, and let it review the skill page and install it for you.
Perform a defensive review of authentication and authorization flows in an authorized codebase. Use for login, session, MFA, OAuth, password reset, cookie security, JWT validation, impersonation, privilege checks, and object-level access control.
Auth Review
Focus
login and logout correctness
session fixation and invalidation
cookie flags and token storage
reset, invite, recovery, and MFA flows
server-side authorization and object-level checks
impersonation, elevation, and admin escape hatches
Review prompts
Are checks enforced server-side on every sensitive action?
Does auth depend on user-controlled headers, origins, or claims?
Are session boundaries rotated after identity change?
Can one user access another user's objects through predictable identifiers?
Output
Use the Patchman findings format and call out auth assumptions explicitly.