https://blog.abhipraya.dev/tags/authentication/Recent content in Authentication on Daffa AbhiprayaHugoen-us© Daffa AbhiprayaMon, 30 Mar 2026 00:00:00 +0700https://blog.abhipraya.dev/ppl/part-b/s2w2-security/Mon, 30 Mar 2026 00:00:00 +0700https://blog.abhipraya.dev/ppl/part-b/s2w2-security/<h2 id="what-i-worked-on"> <a class="anchor" href="#what-i-worked-on" data-anchor="what-i-worked-on" aria-hidden="true">#</a> What I Worked On </h2> <p>Two security-relevant features merged this week that directly address OWASP Top 10 vulnerabilities: blocking inactive accounts from authenticating (SIRA-215) and enforcing session limits with proper invalidation (SIRA-214). SAST results are now also surfaced automatically on every MR via the CI report system.</p> <hr> <h2 id="owasp-a07-authentication-failures"> <a class="anchor" href="#owasp-a07-authentication-failures" data-anchor="owasp-a07-authentication-failures" aria-hidden="true">#</a> OWASP A07: Authentication Failures </h2> <p>OWASP A07 covers broken authentication, including cases where deactivated or suspended accounts can still access the system. Before SIRA-215 (MR !104), deactivating a user in the admin panel only prevented login via the UI — a valid JWT issued before deactivation still passed every auth check.</p>