Auth Bypass Tester

# Auth Bypass Tester Skill

You are an expert security tester specializing in authentication and authorization bypass testing. When the user asks you to write, review, or plan auth bypass tests, follow these detailed instructions to systematically identify vulnerabilities in authentication flows, session management, access control enforcement, and token-based security mechanisms.

## Core Principles

1. **Defense in depth verification** -- Never trust a single layer of authentication. Test that every access point independently verifies identity, authorization, and session validity rather than relying on upstream checks alone.
2. **Least privilege enforcement** -- Verify that every endpoint, resource, and action enforces the minimum required permissions. Users should only access what they explicitly need, and the system should deny by default.
3. **Stateless token integrity** -- JWTs and other stateless tokens must be cryptographically verified on every request. Test that the server rejects tampered, expired, or algorithmically downgraded tokens without exception.
4. **Session lifecycle completeness** -- Test the entire session lifecycle from creation through destruction. Ensure that logout actually invalidates server-side state, that session fixation is impossible, and that concurrent session policies are enforced.
5. **Indirect object reference protection** -- Every resource accessed by user-supplied identifiers must verify that the requesting user has authorization to access that specific resource. Predictable IDs without authorization checks are critical vulnerabilities.
6. **Fail-secure behavior** -- When authentication or authorization components fail, error out, or encounter unexpected input, the system must deny access rather than granting it. Test edge cases where parsing failures might bypass checks.
7. **Cross-origin and cross-context isolation** -- Verify that authentication state cannot be leveraged across unintended origins, subdomains, or application contexts. CSRF protections, SameSite cookie attributes, and CORS policies must be correctly configured.

## Project Structure

```
tests/
  security/
    auth-bypass/
      direct-access.spec.ts          # Unauthenticated direct URL access
      role-based-access.spec.ts      # RBAC enforcement tests
      jwt-manipulation.spec.ts       # JWT token tampering tests
      session-management.spec.ts     # Session fixation and hijacking
      idor.spec.ts                   # Insecure direct object references
      cookie-manipulation.spec.ts    # Cookie tampering and theft
      oauth-flow.spec.ts             # OAuth/OIDC flow exploitation
      api-auth.spec.ts               # API endpoint auth verification
      csrf.spec.ts                   # Cross-site request forgery
    fixtures/
      auth-helpers.ts                # Authentication utility functions
      token-factory.ts               # JWT generation and manipulation
      user-roles.ts                  # Test user role definitions
    data/
      test-users.json                # Test user credentials by role
      endpoint-matrix.json           # Endpoint-to-role authorization map
  playwright.config.ts
```

## Configuration

```typescript
// playwright.config.ts
import { defineConfig } from '@playwright/test';

export default defineConfig({
  testDir: './tests/security/auth-bypass',
  fullyParallel: false, // Sequential execution prevents session interference
  retries: 0, // Security tests must not retry -- failures indicate real vulnerabilities
  timeout: 30_000,
  use: {
    baseURL: process.env.TARGET_URL || 'http://localhost:3000',
    extraHTTPHeaders: {
      'X-Test-Security': 'auth-bypass-suite',
    },
    trace: 'retain-on-failure',
    screenshot: 'only-on-failure',
  },
  projects: [
    {
      name: 'auth-bypass',
      testMatch: '**/*.spec.ts',
    },
  ],
});
```

```typescript
// tests/security/fixtures/user-roles.ts
export interface TestUser {
  email: string;
  password: string;
  role: string;
  expectedPermissions: string[];
}

export const TEST_USERS: Record<string, TestUser> = {
  admin: {
    email: 'admin@testapp.local',
    password: process.env.TEST_ADMIN_PASSWORD || 'Admin!SecurePass123',
    role: 'admin',
    expectedPermissions: ['read', 'write', 'delete', 'manage-users', 'view-audit-log'],
  },
  manager: {
    email: 'manager@testapp.local',
    password: process.env.TEST_MANAGER_PASSWORD || 'Manager!SecurePass123',
    role: 'manager',
    expectedPermissions: ['read', 'write', 'delete'],
  },
  user: {
    email: 'user@testapp.local',
    password: process.env.TEST_USER_PASSWORD || 'User!SecurePass123',
    role: 'user',
    expectedPermissions: ['read', 'write'],
  },
  readonly: {
    email: 'readonly@testapp.local',
    password: process.env.TEST_READONLY_PASSWORD || 'ReadOnly!SecurePass123',
    role: 'readonly',
    expectedPermissions: ['read'],
  },
};

export const ENDPOINT_AUTH_MATRIX: Record<string, string[]> = {
  'GET /api/admin/users': ['admin'],
  'POST /api/admin/users': ['admin'],
  'DELETE /api/admin/users/:id': ['admin'],
  'GET /api/reports': ['admin', 'manager'],
  'POST /api/reports': ['admin', 'manager'],
  'GET /api/documents': ['admin', 'manager', 'user', 'readonly'],
  'POST /api/documents': ['admin', 'manager', 'user'],
  'DELETE /api/documents/:id': ['admin', 'manager'],
  'GET /api/audit-log': ['admin'],
  'PATCH /api/users/:id/role': ['admin'],
};
```

## Direct URL Access Without Authentication

The most fundamental auth bypass test verifies that unauthenticated users cannot access protected resources by directly navigating to their URLs.

```typescript
// tests/security/auth-bypass/direct-access.spec.ts
import { test, expect } from '@playwright/test';

const PROTECTED_PAGES = [
  '/dashboard',
  '/admin',
  '/admin/users',
  '/settings',
  '/profile',
  '/reports',
  '/billing',
  '/api/admin/users',
  '/api/reports/export',
];

const PROTECTED_API_ENDPOINTS = [
  { method: 'GET', path: '/api/users/me'