auth-securitylisted

# Auth Security ## Core Principles - **OAuth 2.1** — Follow RFC 9700 (January 2025) - **PKCE Required** — All clients must use PKCE - **Short-lived Tokens** — Access tokens expire in 5-15 minutes - **Token Rotation** — Refresh tokens are single-use - **HttpOnly Storage** — Browser tokens in HttpOnly cookies - **Explicit Algorithm** — Never trust JWT header algorithm - **No backwards compatibility** — Delete deprecated auth flows --- ## OAuth 2.1 Key Changes ### Deprecated Flows (DO NOT USE) | Flow | Status | Replacement | |------|--------|-------------| | Implicit Grant | Removed | Authorization Code + PKCE | | Password Grant | Removed | Authorization Code + PKCE | | Auth Code without PKCE | Removed | Must use PKCE | ### Required: Authorization Code + PKCE ```typescript import crypto from 'crypto'; // 1. Generate code verifier (43-128 chars) function generateCodeVerifier(): string { return crypto.randomBytes(32).toString('base64url'); } // 2. Generate code challenge function generateCodeChallenge(verifier: string): string { return crypto .createHash('sha256') .update(verifier) .digest('base64url'); } // 3. Authorization request const verifier = generateCodeVerifier(); const challenge = generateCodeChallenge(verifier); const authUrl = new URL('https://auth.example.com/authorize'); authUrl.searchParams.set('response_type', 'code'); authUrl.searchParams.set('client_id', CLIENT_ID); authUrl.searchParams.set('redirect_uri', REDIRECT_URI); authUrl.search