Help wanted: additional OAuth library patterns

[Neelagiri65]

authdrift v0.1.0 ships with three Semgrep rules covering passport.js, NextAuth + Prisma, and Python (Django/SQLAlchemy). These catch the most common patterns, but there are many more OAuth libraries where email is used as the identity key.

Patterns we'd like to add:

• lucia-auth (Lucia v3) — session/user creation by email
• authlib (Python) — Google OAuth handlers keying on email
• omniauth-google-oauth2 (Ruby/Rails) — find_by(email:) in callback
• Clerk — custom sign-in flows resolving by email
• Supabase Auth — email-keyed auth.users lookups in RLS policies or Edge Functions
• Firebase Auth — getUserByEmail() as the primary identity lookup
• Spring Security OAuth2 (Java) — UserDetailsService keyed on email
• ASP.NET Identity (C#) — FindByEmailAsync in external login callbacks

If you've seen this pattern in another library or framework, open a PR with:

1. A new rule in src/authdrift/rules/ following the existing YAML format
2. A vulnerable fixture in tests/fixtures/ that triggers the rule
3. A safe fixture that does NOT trigger (uses sub/provider ID instead)

The CI will validate that your rule fires on the vulnerable fixture and stays silent on the safe one.

[yw13931835525-cyber]

💼 Quote from 河北高软科技有限公司

Hi @Neelagiri65! We're 河北高软科技有限公司 (Hebei Gaosuan Technology Co., Ltd.) — an AI-driven development company specializing in security code analysis. We can implement the OAuth security rules for you!

Our Bid: OAuth Library Semgrep Rules — $500-1,000

We can implement all 8 requested patterns:

1. lucia-auth (Lucia v3) — Session/user creation by email detection
2. authlib (Python) — Google OAuth handlers keying on email
3. omniauth-google-oauth2 (Ruby/Rails) — find_by(email:) in callback detection
4. Clerk — Custom sign-in flows resolving by email
5. Supabase Auth — email-keyed auth.users lookups in RLS policies or Edge Functions
6. Firebase Auth — getUserByEmail() as primary identity lookup
7. Spring Security OAuth2 (Java) — UserDetailsService keyed on email
8. ASP.NET Identity (C#) — FindByEmailAsync in external login callbacks

Each rule includes:

• YAML rule file in src/authdrift/rules/
• Vulnerable fixture in tests/fixtures/ triggering the rule
• Safe fixture that does NOT trigger (using sub/provider ID)

Delivery: 3-5 business days (rules can be delivered in batches)

Payment

• Accepted: EVM wallet (0x6FCBd5d14FB296933A4f5a515933B153bA24370E), USDT, USDC, or crypto

Let me know if you'd like to proceed!

[xyaz1313]

Hey, I'd like to work on this. I've written Semgrep rules for security scanning in past projects and I'm familiar with OAuth patterns across multiple frameworks (Firebase Auth, Supabase, Spring Security). Happy to start with a couple of the libraries you listed and submit PRs.

[Neelagiri65]

Shipped. Three new rules landed in 7ba9bc0:

• authlib-google-oauth-email-as-primary-key — catches userinfo.get('email') and SQLAlchemy db.session.query patterns (Flask/Django + authlib)
• firebase-auth-getUserByEmail — catches admin.auth().getUserByEmail(), getAuth().getUserByEmail(), and generic $AUTH.getUserByEmail()
• lucia-auth-email-as-primary-key — catches Lucia v3 Kysely-style db.table("user").where("email", "=", ...) and db.getUserByEmail()

Each rule ships with a vulnerable fixture (must trigger) and a safe fixture (must not trigger). Validated locally and in CI. Zero false positives across the full 11-fixture safe matrix.

@xyaz1313 — your authlib, Firebase, and Lucia rules from the fork were a good starting point. I deduplicated the authlib patterns against the existing Python rule (the objects.get and objects.filter variants already existed), kept the userinfo.get('email') and db.session.query patterns that added new coverage, and added the missing safe fixtures for Firebase and Lucia. Attribution in the commit message.

The CI workflow is now dynamic — it validates every vulnerable fixture individually instead of hardcoding a finding count. New rule contributions get tested automatically on PR. No manual verification needed.

Still open on this issue: omniauth (Ruby), Clerk, and Supabase Auth. If anyone wants to pick those up, the pattern is established — add a rule to src/authdrift/rules/, add a *-vulnerable.* and safe-*.* fixture pair to tests/fixtures/, and the CI handles the rest.