A look at Cloudflare's AI-coded OAuth library
a year ago
- #AI-generated code
- #OAuth
- #Security
- CloudFlare's new OAuth provider library was largely written with the help of Anthropic's Claude LLM, with thorough review by engineers.
- The code is well-structured but lacks comprehensive tests, especially for critical security checks required by OAuth standards.
- Security concerns include overly permissive CORS headers, missing standard security headers, and incorrect implementation of Basic auth.
- The library includes deprecated OAuth features like the implicit grant, indicating a lack of familiarity with current OAuth specifications.
- Token ID generation is flawed, producing biased output, which suggests insufficient review of AI-generated code.
- The encryption design for the token store is smart but had initial flaws that required expert intervention to correct.
- The project highlights the necessity of deep expertise when using LLMs for critical systems like authentication, as AI can introduce serious security flaws.