{
  "id": "review-ai-generated-auth-code",
  "type": "checklists",
  "category": "checklists",
  "locale": "fr",
  "url": "/fr/checklists/review-ai-generated-auth-code",
  "title": "Liste de vérification pour l'examen du code d'authentification généré par IA",
  "description": "Une liste de vérification humaine pour le code d'authentification écrit par des agents de codage IA — sessions, JWTs, flux OAuth, et logique d'autorisation pour applications web.",
  "tools": [
    "Cursor",
    "Claude Code",
    "Codex",
    "Windsurf"
  ],
  "stack": [
    "Next.js",
    "TypeScript",
    "PostgreSQL"
  ],
  "tags": [
    "auth",
    "security",
    "review",
    "typescript"
  ],
  "difficulty": null,
  "updated": "2026-06-08",
  "markdown": "Les bugs d'authentification introduits par l'IA sont rarement visibles lors de la revue de code — ils se manifestent par des prises de contrôle de comptes en production. Cette liste couvre les lacunes que les agents IA manquent systématiquement.\n\n## Exactitude\n\n```txt\n[ ] Session token is validated on every protected request, not just at login\n[ ] Password hashing uses bcrypt, argon2, or scrypt — never MD5, SHA-1, or unsalted SHA-256\n[ ] bcrypt work factor is 12 or higher (AI often defaults to 10)\n[ ] Password comparison uses a constant-time function — no string equality\n[ ] JWT signature algorithm is RS256 or ES256 in production — HS256 requires a shared secret\n[ ] JWT expiry (exp) claim is set and verified\n[ ] JWT is not trusted without verification — never decode without verifying the signature\n[ ] Refresh token rotation is implemented — old tokens are invalidated on use\n[ ] Email verification token is a cryptographically random value, not a predictable ID\n[ ] Password reset tokens expire (15–60 minutes) and are single-use\n[ ] OAuth state parameter is generated per request and validated on callback\n[ ] OAuth PKCE is implemented for authorization code flows in SPAs or mobile apps\n[ ] User ID from the session/JWT is used for DB queries — never from user-supplied input\n[ ] Role or permission is fetched from the database, not embedded in a client-editable token\n```\n\n## Sécurité\n\n```txt\n[ ] Session cookies have Secure, HttpOnly, and SameSite=Strict or Lax flags\n[ ] Session ID is regenerated after privilege escalation (login, role change)\n[ ] No session fixation — session created before login is replaced after login\n[ ] Brute-force protection: rate limit on login, password reset, and OTP endpoints\n[ ] Account enumeration is prevented — login and password reset return identical messages\n[ ] Logout invalidates the server-side session, not just clears the client cookie\n[ ] CSRF protection is present on all state-changing authenticated endpoints\n[ ] Magic link tokens are bound to the requesting email — not reusable for other accounts\n[ ] Multi-tenant apps filter all queries by tenant_id derived from the session, not the URL\n[ ] Admin-only routes check role server-side — client-side redirect is not the only guard\n[ ] Secrets (JWT secret, OAuth client secret) come from environment variables, not source code\n[ ] No debug or test credentials left in the codebase or .env.example\n[ ] OAuth redirect_uri is validated against an allowlist, not a prefix match\n[ ] TOTP codes are verified with a time window of at most ±1 step (30-second window)\n[ ] Backup codes are hashed in the database, not stored in plaintext\n```\n\n## Performances\n\n```txt\n[ ] Session lookup uses the primary key or an indexed column — not a full table scan\n[ ] JWT verification does not hit the database on every request unless required for revocation\n[ ] Token blocklist (for logout/revocation) uses Redis or a fast KV store, not a SQL table scanned per request\n[ ] bcrypt is run in a worker thread or background process, not blocking the event loop\n```\n\n## Risques spécifiques à l'IA\n\n```txt\n[ ] AI has not implemented its own crypto primitives — only use audited libraries\n[ ] No custom JWT parsing with string split instead of a verification library\n[ ] next-auth v4 and Auth.js (v5) callbacks are not mixed — the API changed significantly\n[ ] AI has not used Math.random() for token generation — use crypto.randomBytes or Web Crypto\n[ ] AI has not assumed that checking isAuthenticated on the client is sufficient\n[ ] No phantom library APIs — verify method signatures against the actual installed version\n[ ] AI has not skipped the audience (aud) claim check on JWTs in multi-service architectures\n[ ] Middleware-based auth guards are paired with server-side checks — middleware can be bypassed\n```\n\n## Prompt de correction\n\n```txt title=\"Fix Prompt\"\nReview this authentication code against the checklist above. Flag any missing\nsession validation, insecure token handling, account enumeration risks, or\nfabricated library APIs. Rewrite the insecure sections using the current\nAuth.js / better-auth API. Return fixed code only, with a comment on each\nchanged line explaining the security reason.\n```"
}