Habilidades auth-implementation-patterns
🔐

auth-implementation-patterns

Seguro

Implement Secure Authentication Systems

También disponible en: wshobson

Learn battle-tested authentication and authorization patterns to build secure access control in your applications without reinventing the wheel.

Soporta: Claude Codex Code(CC)
🥉 75 Bronce
1

Descargar el ZIP de la skill

2

Subir en Claude

Ve a Configuración → Capacidades → Skills → Subir skill

3

Activa y empieza a usar

Pruébalo

Usando "auth-implementation-patterns". How do I implement JWT authentication in Express?

Resultado esperado:

A complete JWT implementation includes: 1) Generate tokens using jwt.sign() with secrets from environment variables, 2) Create authenticate middleware that verifies Bearer tokens, 3) Use short-lived access tokens (15min) with longer refresh tokens (7d), 4) Store refresh tokens hashed in database. See implementation-playbook.md Pattern 1 for full code.

Usando "auth-implementation-patterns". What's the difference between session and token-based auth?

Resultado esperado:

Session-based: Server stores state, session ID in cookie, simple but requires sticky sessions. Token-based (JWT): Stateless, self-contained claims, scales horizontally, but cannot revoke individual tokens easily. Choose sessions for traditional apps, JWT for APIs and microservices.

Usando "auth-implementation-patterns". How do I implement role-based authorization?

Resultado esperado:

Define roles in an enum (USER, MODERATOR, ADMIN), create a role hierarchy mapping, build requireRole() middleware that checks user role against allowed roles, apply middleware to protected routes. Example: app.delete('/users/:id', authenticate, requireRole('ADMIN'), handler)

Auditoría de seguridad

Seguro
v1 • 2/24/2026

Educational documentation skill containing authentication and authorization code patterns. All 67 static findings are false positives: backticks are markdown code fences, environment variable access demonstrates proper secret handling, and weak crypto mentions are in cautionary context. No actual security risks present.

2
Archivos escaneados
661
Líneas analizadas
0
hallazgos
1
Auditorías totales
No se encontraron problemas de seguridad
Auditado por: claude

Puntuación de calidad

38
Arquitectura
100
Mantenibilidad
87
Contenido
50
Comunidad
100
Seguridad
100
Cumplimiento de la especificación

Lo que puedes crear

Build JWT authentication from scratch

Implement complete token-based auth with access tokens, refresh tokens, and proper secret management

Add OAuth2 social login

Integrate Google and GitHub OAuth2 authentication into existing applications

Design authorization model

Create RBAC or permission-based access control systems for application resources

Prueba estos prompts

Basic JWT Setup 
Show me how to implement JWT authentication in Node.js with Express, including token generation and verification middleware
Refresh Token Flow 
Create a refresh token flow that securely stores refresh tokens in a database and issues new access tokens
OAuth2 Integration 
Implement Google OAuth2 login using Passport.js with JWT token generation after authentication
RBAC Authorization 
Design a role-based access control system with admin, moderator, and user roles, including middleware for permission checking

Mejores prácticas

  • Always use environment variables for secrets (JWT_SECRET, SESSION_SECRET) never hardcode credentials
  • Use short-lived access tokens (15-30 minutes) with separate refresh tokens for better security
  • Store refresh tokens hashed in database and implement token rotation on use

Evitar

  • Storing JWT in localStorage exposes tokens to XSS attacks - use httpOnly cookies instead
  • Not validating token expiration allows expired tokens to be used indefinitely
  • Client-side only authorization checks can be bypassed - always validate server-side

Preguntas frecuentes

When should I use session-based vs token-based authentication?
Use sessions for traditional server-rendered apps where you need simple logout and CSRF protection. Use tokens (JWT) for SPAs, mobile apps, and microservices where you need stateless authentication and cross-domain requests.
How do I securely store JWT secrets?
Never hardcode secrets in source code. Use environment variables (process.env.JWT_SECRET) and load them from .env files at runtime. Ensure .env is in .gitignore and secrets are injected from secure sources in production.
What's the difference between authentication and authorization?
Authentication (AuthN) verifies WHO a user is (login with credentials). Authorization (AuthZ) determines WHAT a user can DO (permissions, roles). Both are essential but serve different purposes in access control.
How do I implement refresh tokens securely?
Generate refresh tokens as random UUIDs, store hashed versions in database, set expiration (7-30 days), implement rotation (issue new refresh on each use), and allow revocation for logout or security events.
Can JWT tokens be revoked?
JWTs are stateless by design. To revoke: use a token blocklist in Redis/database, implement short expiration so tokens expire naturally, or use refresh token rotation to invalidate old token pairs.
What's the best way to handle password storage?
Always hash passwords using bcrypt or argon2 with high work factors (bcrypt cost 10-12). Never store plain passwords. Use salt automatically provided by bcrypt. Verify with bcrypt.compare().

Detalles del desarrollador

Autor

sickn33

Licencia

MIT

Repositorio

https://github.com/sickn33/antigravity-awesome-skills/tree/main/skills/auth-implementation-patterns

Ref.

main

Estructura de archivos

📁 resources/

📄 implementation-playbook.md

📄 SKILL.md