Security Requirements Checklist: Multi-User Auth

Purpose: Validate completeness and rigor of security requirements for authentication and authorization. Created: 2026-01-27 Feature: Link to spec.md

Authentication Security

CHK001 Are password complexity requirements specified for local users? [Completeness, Gap] (Covered by T037)
CHK002 Is the exact hashing algorithm (bcrypt) and work factor specified? [Clarity, Spec §Research] (Covered by T006)
CHK003 Are account lockout policies defined for failed login attempts? [Coverage, Gap] (Covered by T033)
CHK004 Is the behavior for inactive/disabled accounts explicitly defined for both local and ADFS users? [Edge Case, Spec §Edge Cases] (Covered by T044)
CHK005 Are requirements defined for session revocation (e.g., logout, admin action)? [Completeness] (Covered by T043)

ADFS & SSO Security

CHK006 Are token validation requirements (signature, issuer, audience) specified for ADFS OIDC tokens? [Completeness] (Covered by T007)
CHK007 Is the mapping behavior defined when an ADFS user is removed from a mapped AD group? [Edge Case, Gap] (Covered by T028)
CHK008 Are requirements defined for handling ADFS token expiration and refresh? [Coverage] (Covered by T046)
CHK009 Is the JIT provisioning process secure against privilege escalation (e.g., default role)? [Security, Spec §FR-008] (Covered by T028)

Authorization & RBAC

CHK010 Are "default deny" requirements specified for plugin access? [Clarity, Spec §SC-002] (Covered by T020)
CHK011 Is the behavior defined when a user has multiple roles with conflicting permissions? [Edge Case, Gap] (Covered by T045)
CHK012 Are requirements specified for preventing admins from removing their own admin privileges (lockout prevention)? [Edge Case] (Covered by T022)
CHK013 Is the scope of "Execute" vs "Read" permission clearly defined for each plugin? [Clarity] (Covered by T019)

Data Protection

CHK014 Are requirements defined for protecting sensitive data (passwords, tokens) in logs? [Completeness, Spec §Constitution] (Covered by T047)
CHK015 Are HttpOnly and Secure flags required for session cookies? [Clarity, Spec §Research] (Covered by T032)
CHK016 Is the storage mechanism for ADFS client secrets defined securely? [Completeness] (Covered by T002)

API Security

CHK017 Are authentication requirements enforced on ALL API endpoints (except login)? [Coverage] (Covered by T021)
CHK018 Are rate limiting requirements defined for login endpoints to prevent brute force? [Gap] (Covered by T033)
CHK019 Are error messages required to be generic to avoid username enumeration? [Clarity] (Covered by T034)

Powered by Gitea Version: 1.24.3 Page: 981ms Template: 3ms

English

Bahasa Indonesia Deutsch English Español Français Gaeilge Italiano Latviešu Magyar nyelv Nederlands Polski Português de Portugal Português do Brasil Suomi Svenska Türkçe Čeština Ελληνικά Български Русский Українська فارسی മലയാളം 日本語简体中文繁體中文（台灣）繁體中文（香港） 한국어

Licenses API

2.7 KiB Raw Blame History