Prompt
Configure authentication mechanisms with secure default settings to prevent security vulnerabilities. When implementing WebAuthn or similar authentication protocols:
- Avoid attestation bypasses: Do not include verifiers that allow skipping attestation checks.
// INCORRECT: Allows attestation bypass return new WebAuthnAsyncManager( Arrays.asList( new NoneAttestationStatementAsyncVerifier(), // other verifiers ) ); - Use recommended timeouts: Follow standard security recommendations for timeout values.
// INCORRECT: Too short for authentication ceremonies this.timeout = config.timeout().orElse(Duration.ofSeconds(60)); // CORRECT: Use recommended 5 minutes this.timeout = config.timeout().orElse(Duration.ofMinutes(5)); - Enable security verifications by default: Features like user presence verification should be enabled by default.
// INCORRECT: Security feature disabled by default this.userPresenceRequired = config.userPresenceRequired().orElse(false); // CORRECT: Security feature enabled by default this.userPresenceRequired = config.userPresenceRequired().orElse(true); - Prevent information disclosure: Avoid endpoints that expose account information to unauthenticated requests, which could enable account enumeration attacks.
// VULNERABLE: Returns user-specific credential information // to unauthenticated requests .map(challenge -> security.toJsonString(challenge)) .subscribe().with(challenge -> ok(ctx, challenge), ctx::fail);