registry  /  @jskit-ai/auth-provider-local-core  /  0.1.3

@jskit-ai/auth-provider-local-core@0.1.3

AI Security Review

scanned 10d ago · by lpm-firewall-ai

No confirmed malicious attack surface was found. Runtime behavior is a local authentication provider with optional SMTP password recovery and file-backed auth state.

Static reason
One or more suspicious static signals were detected.
Trigger
Application registers/boots AuthLocalServiceProvider or calls exported auth service methods.
Impact
Creates local auth secrets/state and sends recovery links only through configured application SMTP.
Mechanism
local auth state management and optional configured SMTP email
Rationale
Static source inspection shows an auth provider whose env access, token strings, local file writes, and SMTP use are package-aligned and user/runtime configured. The descriptor lists setup mutations, but there are no install-time hooks or unconsented broad control-surface writes in the package source.
Evidence
package.jsonpackage.descriptor.mjssrc/server/providers/AuthLocalServiceProvider.jssrc/server/lib/service.jssrc/server/lib/fileBackend.jssrc/server/lib/tokens.jssrc/server/lib/passwords.js.jskit/auth/session.secret.jskit/auth/users.passwd.jskit/auth/sessions.passwd.jskit/auth/recovery.passwd.jskit/auth/store.lock.jskit/auth/transaction.journal

Decision evidence

public snapshot
AI called this Clean at 94.0% confidence as Benign with low false-positive risk.
Evidence for block
  • package.descriptor.mjs declares explicit app config mutations for .env and .gitignore, but no npm lifecycle hook applies them automatically.
  • src/server/providers/AuthLocalServiceProvider.js reads process.env and can create .jskit/auth/session.secret at provider boot when selected.
  • src/server/lib/service.js can send password recovery email through configured SMTP.
Evidence against
  • package.json has no preinstall/install/postinstall hooks and only exports server provider/lib entrypoints.
  • src/server/lib/service.js implements local auth flows: register, login, sessions, password reset, cookies, and SMTP recovery.
  • src/server/lib/fileBackend.js writes only configured local auth store files users.passwd, sessions.passwd, recovery.passwd, lock, and journal.
  • No child_process, eval, remote payload loading, credential harvesting, or hardcoded exfiltration endpoint found.
  • Network use is nodemailer to user-configured SMTP, package-aligned for password recovery.
Behavioral surface
Source
CryptoEnvironmentVarsFilesystem
Supply chain
HighEntropyStrings
Manifest
NoLicense
scanned 8 file(s), 48.9 KB of source

Source & flagged code

19 flagged · loading source
src/server/lib/service.jsView file
148patternName = generic_password severity = medium line = 148 matchedText = password...rs."
Medium
Secret Pattern

Package contains a possible secret pattern.

src/server/lib/service.jsView on unpkg · L148
test/providerRuntime.test.jsView file
106patternName = generic_password severity = medium line = 106 matchedText = password...le",
Medium
Secret Pattern

Hardcoded password in test/providerRuntime.test.js

test/providerRuntime.test.jsView on unpkg · L106
167patternName = generic_password severity = medium line = 167 matchedText = password...ue",
Medium
Secret Pattern

Hardcoded password in test/providerRuntime.test.js

test/providerRuntime.test.jsView on unpkg · L167
173patternName = generic_password severity = medium line = 173 matchedText = password...lue"
Medium
Secret Pattern

Hardcoded password in test/providerRuntime.test.js

test/providerRuntime.test.jsView on unpkg · L173
260patternName = generic_password severity = medium line = 260 matchedText = password...lue"
Medium
Secret Pattern

Hardcoded password in test/providerRuntime.test.js

test/providerRuntime.test.jsView on unpkg · L260
347patternName = generic_password severity = medium line = 347 matchedText = password...lue"
Medium
Secret Pattern

Hardcoded password in test/providerRuntime.test.js

test/providerRuntime.test.jsView on unpkg · L347
353patternName = generic_password severity = medium line = 353 matchedText = password...ue",
Medium
Secret Pattern

Hardcoded password in test/providerRuntime.test.js

test/providerRuntime.test.jsView on unpkg · L353
370patternName = generic_password severity = medium line = 370 matchedText = password...ue",
Medium
Secret Pattern

Hardcoded password in test/providerRuntime.test.js

test/providerRuntime.test.jsView on unpkg · L370
383patternName = generic_password severity = medium line = 383 matchedText = password...lue"
Medium
Secret Pattern

Hardcoded password in test/providerRuntime.test.js

test/providerRuntime.test.jsView on unpkg · L383
415patternName = generic_password severity = medium line = 415 matchedText = password...lue"
Medium
Secret Pattern

Hardcoded password in test/providerRuntime.test.js

test/providerRuntime.test.jsView on unpkg · L415
423patternName = generic_password severity = medium line = 423 matchedText = password...lue"
Medium
Secret Pattern

Hardcoded password in test/providerRuntime.test.js

test/providerRuntime.test.jsView on unpkg · L423
429patternName = generic_password severity = medium line = 429 matchedText = password...lue"
Medium
Secret Pattern

Hardcoded password in test/providerRuntime.test.js

test/providerRuntime.test.jsView on unpkg · L429
439patternName = generic_password severity = medium line = 439 matchedText = password...ue",
Medium
Secret Pattern

Hardcoded password in test/providerRuntime.test.js

test/providerRuntime.test.jsView on unpkg · L439
464patternName = generic_password severity = medium line = 464 matchedText = password...lue"
Medium
Secret Pattern

Hardcoded password in test/providerRuntime.test.js

test/providerRuntime.test.jsView on unpkg · L464
483patternName = generic_password severity = medium line = 483 matchedText = password...ue",
Medium
Secret Pattern

Hardcoded password in test/providerRuntime.test.js

test/providerRuntime.test.jsView on unpkg · L483
513patternName = generic_password severity = medium line = 513 matchedText = password...lue"
Medium
Secret Pattern

Hardcoded password in test/providerRuntime.test.js

test/providerRuntime.test.jsView on unpkg · L513
519patternName = generic_password severity = medium line = 519 matchedText = password...lue"
Medium
Secret Pattern

Hardcoded password in test/providerRuntime.test.js

test/providerRuntime.test.jsView on unpkg · L519
551patternName = generic_password severity = medium line = 551 matchedText = password...ue",
Medium
Secret Pattern

Hardcoded password in test/providerRuntime.test.js

test/providerRuntime.test.jsView on unpkg · L551
579patternName = generic_password severity = medium line = 579 matchedText = password...rd",
Medium
Secret Pattern

Hardcoded password in test/providerRuntime.test.js

test/providerRuntime.test.jsView on unpkg · L579

Findings

20 Medium4 Low
MediumSecret Patternsrc/server/lib/service.js
MediumEnvironment Vars
MediumSecret Patterntest/providerRuntime.test.js
MediumSecret Patterntest/providerRuntime.test.js
MediumSecret Patterntest/providerRuntime.test.js
MediumSecret Patterntest/providerRuntime.test.js
MediumSecret Patterntest/providerRuntime.test.js
MediumSecret Patterntest/providerRuntime.test.js
MediumSecret Patterntest/providerRuntime.test.js
MediumSecret Patterntest/providerRuntime.test.js
MediumSecret Patterntest/providerRuntime.test.js
MediumSecret Patterntest/providerRuntime.test.js
MediumSecret Patterntest/providerRuntime.test.js
MediumSecret Patterntest/providerRuntime.test.js
MediumSecret Patterntest/providerRuntime.test.js
MediumSecret Patterntest/providerRuntime.test.js
MediumSecret Patterntest/providerRuntime.test.js
MediumSecret Patterntest/providerRuntime.test.js
MediumSecret Patterntest/providerRuntime.test.js
MediumSecret Patterntest/providerRuntime.test.js
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowNo License