Who specifically is this intended for? It's a wonder that the model didn't spice things up with some tangential compliance catnip like FIPS or PCI DSS.
I would be curious to see the prompts used to create this.
Recently, I don't think there could be a better example of applicability of Brandolini's law.
I would love to see alternatives of educational code that implements these things in a "compliant" way.
Security does not come from Compliance (sometimes they are at odds) but as someone who is not an academically trained security professional but who has read NIST* in detail, implements such code and has passed a number of code reviews from security professionals. And who has been asked to do things like STRIDE risk assessment on products I write code for I do appreciate the references and links along side actual code of any kind.
Now to be fair, I have not yet looked at any of the code here, it's commit history or its level of AI-induced fantasy confidence in the validity of the specific solutions. That could be good or bad but the intent of this is really on point for me.
- the db select runs before the password has so you can detect if the account exists with timing attacks
- there is no enforced minimum nor maximum length on the stored secret (e..g para 5.1.1.1 and 5.1.1.2 recommend length range of 8 to 64 unicode printable chars normalized to some form i forget)
- there is no enforced min max length on the account identifier (in this case email) and no normalization
At least not in the code i saw. so there is still a lot of basics/low hanging fruit from NIST recommendations at least you would find in any production grade auth framework missing
Pretty sure all those are covered, upon more careful review. PRs open!
Edit: The create account I hadn't thought of for the email enum. Thanks!
Edit 2: Fixed up two schema issues identified and the last mitigated already via call: await passwords.rejectPasswordWithConstantTime(validatedData.password)
Who specifically is this intended for? It's a wonder that the model didn't spice things up with some tangential compliance catnip like FIPS or PCI DSS.
I would be curious to see the prompts used to create this.
Recently, I don't think there could be a better example of applicability of Brandolini's law.