Auth system is simple, not convoluted

Severity: Recommended

Check automatically:

1. Find auth-related files:

   find . -type f \( -name "*auth*" -o -name "*session*" -o -name "*middleware*" \) \
     -not -path "*/node_modules/*" -not -path "*/.git/*" 2>/dev/null
   

2. Identify auth mechanism(s) in use:

   grep -rl "passport\|jsonwebtoken\|express-session\|next-auth\|lucia\|clerk\|auth0\|supabase/auth" \
     --include="*.ts" --include="*.js" --include="*.tsx" . 2>/dev/null | head -20
   

3. Read auth files and trace the flow:

   • Read the identified auth files
   • Trace: request → auth check → user resolution → protected resource
   • Identify where tokens/sessions are created, validated, and invalidated

Pass criteria:

• Auditor can explain the auth flow in 2-3 sentences
• Single clear entry point for authentication
• Auth mechanism is obvious from reading the code

Fail criteria:

• Auditor cannot explain auth flow after reading code
• Multiple competing auth mechanisms with unclear boundaries
• Auth logic scattered with no discernible pattern

If auth flow is unclear, ask user: "Unable to trace the auth flow from the code. Can you explain how authentication works in this project?"

Evidence to capture:

• Written explanation of auth flow (2-5 sentences)
• Simple diagram if multiple components (e.g., "Request → Middleware → JWT validation → User lookup → Handler")
• List of auth entry points (login, logout, token refresh)

---