Secure authentication defaults

quarkusio/quarkus

Based on 4 comments

Java

Configure authentication mechanisms with secure default settings to prevent security vulnerabilities. When implementing WebAuthn or similar authentication protocols:

Security Java

Reviewer Prompt

Configure authentication mechanisms with secure default settings to prevent security vulnerabilities. When implementing WebAuthn or similar authentication protocols:

Avoid attestation bypasses: Do not include verifiers that allow skipping attestation checks.

// INCORRECT: Allows attestation bypass
return new WebAuthnAsyncManager(
    Arrays.asList(
        new NoneAttestationStatementAsyncVerifier(),
        // other verifiers
    )
);

Use recommended timeouts: Follow standard security recommendations for timeout values.

// INCORRECT: Too short for authentication ceremonies
this.timeout = config.timeout().orElse(Duration.ofSeconds(60));
   
// CORRECT: Use recommended 5 minutes
this.timeout = config.timeout().orElse(Duration.ofMinutes(5));

Enable security verifications by default: Features like user presence verification should be enabled by default.

// INCORRECT: Security feature disabled by default
this.userPresenceRequired = config.userPresenceRequired().orElse(false);
   
// CORRECT: Security feature enabled by default
this.userPresenceRequired = config.userPresenceRequired().orElse(true);

Prevent information disclosure: Avoid endpoints that expose account information to unauthenticated requests, which could enable account enumeration attacks.

// VULNERABLE: Returns user-specific credential information
// to unauthenticated requests
.map(challenge -> security.toJsonString(challenge))
.subscribe().with(challenge -> ok(ctx, challenge), ctx::fail);

Comments Analyzed

Java

Primary Language

Security

Secure authentication defaults

Reviewer Prompt

Source Discussions

Add Repository

Private Repository