Skip to content
TCTDX Identity

Security posture

The current Next.js implementation is a prototype and should not be used as a production identity provider.

Highest-risk findings

  • Signup marks email addresses verified without mailbox proof.
  • Account email management can set attached emails as verified.
  • Credential and OTP routes lack shared production rate limits.
  • Device approval does not clearly show requesting client and scopes before approval.
  • JWT private signing keys are stored in the application database.
  • WebAuthn needs server-side user-present and user-verified enforcement.
  • TOTP secrets need encrypted storage and pending enrollment state.
  • Organization domain challenge ownership needs stricter transfer rules.

Positive controls to preserve

  • Authorization codes are hashed.
  • Authorization-code redemption is transactional.
  • PKCE S256 is required in the documented flow.
  • Client secrets are hashed.
  • Flow-binding cookies protect several sign-in continuations.
  • Access tokens are stored by hash for lookup/revocation.

Rewrite posture

Every known prototype flaw should become a failing negative test in Rust. The provider should not advertise a feature until the feature is implemented, documented, and covered by regression tests.