Auth check is cheap

Severity: Recommended

Check automatically:

1. Identify the auth validation mechanism:

   # JWT verification (cheap - cryptographic signature check)
   grep -rn "jwt\.verify\|jsonwebtoken\|jose\|verifyToken" \
     --include="*.ts" --include="*.js" . 2>/dev/null | grep -v node_modules
   
   # Session lookup (depends - check if cached)
   grep -rn "session\.\|getSession\|findSession" \
     --include="*.ts" --include="*.js" . 2>/dev/null | grep -v node_modules
   

2. Check if auth hits database on every request:

   # Look inside auth middleware for DB calls
   grep -rn -A15 "isAuthenticated\|requireAuth\|authMiddleware" \
     --include="*.ts" --include="*.js" . 2>/dev/null | grep -v node_modules | grep -i "prisma\|mongoose\|findOne\|findById\|query"
   

3. Check for expensive operations in auth flow:

   # bcrypt/argon comparison on every request (should only be at login)
   grep -rn "bcrypt\.compare\|argon2\.verify\|scrypt" \
     --include="*.ts" --include="*.js" . 2>/dev/null | grep -v node_modules
   

4. Check for caching on session/user lookups:

   # Redis session store or cache
   grep -rn "redis\|memcached\|cache\.\|lru-cache" \
     --include="*.ts" --include="*.js" . 2>/dev/null | grep -v node_modules
   

Pass criteria:

• JWT-based: signature verification only (no DB call per request)
• Session-based: session store is in-memory or Redis (not DB per request)
• User lookup (if needed) is cached
• No password hashing/comparison on every request

Fail criteria:

• Database query on every authenticated request for session lookup
• User permissions fetched from DB on every request without caching
• Expensive crypto operations (bcrypt/argon) outside of login flow

If DB hit on every request, ask user: "Auth appears to query the database on every request. Is this cached? Consider Redis sessions or JWT to reduce DB load."

Evidence to capture:

• Auth validation method (JWT, session, API key)
• Whether DB is hit per request
• Caching mechanism (if any)

---