MergeShieldDemo
Like what you see? Sign up with GitHub to start governing your own repos — free forever.
Back to Pull Requests
Add user authentication with JWT tokens
62/100 HighGitHub
View on GitHub62/100 High
Awaiting approval before merge.Risk score 62 exceeds threshold (50)
Summary
This PR introduces JWT-based authentication across the application. The security risk is elevated due to token handling in client-side storage and a missing token rotation mechanism. The blast radius is moderate as it affects middleware, API routes, and the user model. Test coverage is incomplete for edge cases like expired tokens and concurrent sessions.
Model: claude-sonnet-4-20250514Duration: 12400msTokens: 4280
Was this analysis helpful?
AI Context:TypeScript12 depsREADME
Policy Adjustments Applied
AI Score: 76→Adjusted Score: 62-14 from “Security file cap”
Custom risk policies adjusted the AI-generated score based on file patterns and author rules.
Risk Scores
Overall62/100
Complexity45/100
Security78/100
Blast Radius55/100
Test Coverage60/100
Breaking Change35/100
File-Level Risk
| File | Risk | Category | Details |
|---|---|---|---|
src/lib/auth.ts | 82 | security | Core authentication logic with JWT secret handling and token generation |
src/middleware/auth.ts | 68 | blast Radius | Middleware applied to all 12 authenticated API routes |
src/models/user.ts | 55 | breaking Change | Schema changes to user model affect existing database records |
src/routes/auth.ts | 50 | security | Login and signup endpoints handle raw credentials |
src/lib/token-store.ts | 45 | security | Client-side token storage using localStorage (XSS-vulnerable) |
security
78/100Findings
- • JWT secret is loaded from environment but fallback uses a hardcoded default value in development mode (src/lib/auth.ts:14)
- • Access tokens stored in localStorage are vulnerable to XSS attacks — consider httpOnly cookies
- • No token refresh/rotation mechanism — compromised tokens remain valid until expiry
- • Password hashing uses bcrypt with cost factor 10 (acceptable but consider increasing to 12)
Suggestions
- → Remove hardcoded fallback secret and fail-closed when JWT_SECRET is not set
- → Migrate token storage from localStorage to httpOnly secure cookies
- → Implement refresh token rotation with short-lived access tokens (15min) and longer refresh tokens (7d)
blast Radius
55/100Findings
- • Auth middleware added to 12 API routes — affects all authenticated endpoints
- • User model schema changed — existing sessions will be invalidated on deploy
- • New dependency: jsonwebtoken@9.0.2 (1.2MB, 3 transitive deps)
Suggestions
- → Add database migration script for user schema changes
- → Consider a gradual rollout with feature flag to avoid breaking all sessions at once
test Coverage
60/100Findings
- • Happy path tests cover login, signup, and token validation
- • No tests for expired token handling or invalid token formats
- • Missing integration tests for middleware chain (auth → rate limit → handler)
- • No tests for concurrent session behavior
Suggestions
- → Add edge case tests: expired tokens, malformed tokens, missing auth header
- → Add integration test for the full middleware chain
complexity
45/100Findings
- • 14 files changed across 3 packages (auth, api, types)
- • Auth middleware uses clear separation of concerns with composable handlers
- • JWT utility functions are well-documented with TypeScript types
Suggestions
- → Consider extracting auth types into a shared package for reuse
breaking Change
35/100Findings
- • API routes now require Authorization header — unauthenticated clients will receive 401
- • User model adds required fields — existing records need migration
Suggestions
- → Document the API change in CHANGELOG and notify API consumers
- → Provide migration script for existing user records