auth-patterns

Name: auth-patterns
Rating: 9.1 (226 reviews)
Author: MadAppGang

by MadAppGang24819GitHub

Provides ready-to-use authentication and authorization patterns for backend applications, including JWT, session-based auth, OAuth 2.0, password security, RBAC, ABAC, and security best practices with TypeScript examples. Covers token storage, rate limiting, account lockout, MFA, and refresh token rotation.

Unlock Deep Analysis

Use AI to visualize the workflow and generate a realistic output preview for this skill.

Target Audience

Backend developers building secure applications, especially those implementing authentication for the first time or looking to improve existing systems

10/10Security

Low security risk, safe to use

Clarity

Practicality

Quality

Maintainability

Innovation

Backend

authenticationauthorizationsecurity-patternsjwtoauth

Compatible Agents

Claude Code

~/.claude/skills/

Codex CLI

~/.codex/skills/

Gemini CLI

~/.gemini/skills/

OpenCode

~/.opencode/skills/

OpenClaw

~/.openclaw/skills/

GitHub Copilot

~/.copilot/skills/

Cursor

~/.cursor/skills/

Windsurf

~/.codeium/windsurf/skills/

Cline

~/.cline/skills/

Roo Code

~/.roo/skills/

Kiro

~/.kiro/skills/

Junie

~/.junie/skills/

Augment Code

~/.augment/skills/

Warp

~/.warp/skills/

Goose

~/.config/goose/skills/

SKILL.md

Auth Patterns — Authentication & Authorization

SECURITY-CRITICAL SKILL — Auth is the front door. Get it wrong and nothing else matters.

Authentication Methods

Method	How It Works	Best For
JWT	Signed token sent with each request	SPAs, microservices, mobile APIs
Session-based	Server stores session, client holds cookie	Traditional web apps, SSR
OAuth 2.0	Delegated auth via authorization server	"Login with Google/GitHub", API access
API Keys	Static key sent in header	Internal services, public APIs
Magic Links	One-time login link via email	Low-friction onboarding, B2C
Passkeys/WebAuthn	Hardware/biometric challenge-response	High-security apps, passwordless

JWT Patterns

Dual-Token Strategy

Short-lived access token + long-lived refresh token:

Client → POST /auth/login → Server
Client ← { access_token, refresh_token }

Client → GET /api/data (Authorization: Bearer <access>) → Server
Client ← 401 Expired

Client → POST /auth/refresh { refresh_token } → Server
Client ← { new_access_token, rotated_refresh_token }

Token Structure

{
  "header": { "alg": "RS256", "typ": "JWT", "kid": "key-2024-01" },
  "payload": {
    "sub": "user_abc123",
    "iss": "https://auth.example.com",
    "aud": "https://api.example.com",
    "exp": 1700000900,
    "iat": 1700000000,
    "jti": "unique-token-id",
    "roles": ["user"],
    "scope": "read:profile write:profile"
  }
}

Signing Algorithms

Algorithm	Type	When to Use
RS256	Asymmetric (RSA)	Microservices — only auth server holds private key
ES256	Asymmetric (ECDSA)	Same as RS256, smaller keys and signatures
HS256	Symmetric	Single-server apps — all verifiers share secret

Prefer RS256/ES256 in distributed systems.

Token Storage

Storage	XSS Safe	CSRF Safe	Recommendation
httpOnly cookie	Yes	No (add CSRF token)	Best for web apps
localStorage	No	Yes	Avoid — XSS exposes tokens
In-memory	Yes	Yes	Good for SPAs, lost on refresh

Set-Cookie: access_token=eyJ...; HttpOnly; Secure; SameSite=Strict; Path=/; Max-Age=900

Expiration Strategy

Token	Lifetime	Rotation
Access token	5–15 minutes	Issued on refresh
Refresh token	7–30 days	Rotate on every use
ID token	Match access token	Not refreshed

OAuth 2.0 Flows

Flow	Client Type	When to Use
Authorization Code + PKCE	Public (SPA, mobile)	Default for all public clients
Authorization Code	Confidential (server)	Server-rendered web apps with backend
Client Credentials	Machine-to-machine	Service-to-service, cron jobs
Device Code	Input-constrained	Smart TVs, IoT, CLI on headless servers

Implicit flow is deprecated. Always use Authorization Code + PKCE for public clients.

PKCE Flow

1. Client generates code_verifier (random 43-128 chars)
2. Client computes code_challenge = BASE64URL(SHA256(code_verifier))
3. Redirect to /authorize?code_challenge=...&code_challenge_method=S256
4. User authenticates, server redirects back with authorization code
5. Client exchanges code + code_verifier for tokens at /token
6. Server verifies SHA256(code_verifier) == code_challenge

Session Management

Server-Side Sessions

Client Cookie:  session_id=a1b2c3d4 (opaque, random, no user data)
Server Store:   { "a1b2c3d4": { userId: 123, roles: ["admin"], expiresAt: ... } }

Store	Speed	When to Use
Redis	Fast	Production default — TTL support, horizontal scaling
PostgreSQL	Moderate	When Redis is overkill, need audit trail
In-memory	Fastest	Development only

Session Security

Threat	Prevention
Session fixation	Regenerate session ID after login
Session hijacking	httpOnly + Secure cookies, bind to IP/user-agent
CSRF	SameSite cookies + CSRF tokens
Idle timeout	Expire after 15–30 min inactivity
Absolute timeout	Force re-auth after 8–24 hours

Authorization Patterns

Pattern	Granularity	When to Use
RBAC	Coarse (admin, editor, viewer)	Most apps — simple role hierarchy
ABAC	Fine (attributes: dept, time, location)	Enterprise — context-dependent access
Permission-based	Medium (post:create, user:delete)	APIs — decouple permissions from roles
Policy-based (OPA/Cedar)	Fine	Microservices — externalized, auditable rules
ReBAC	Fine (owner, member, shared-with)	Social apps, Google Drive-style sharing

RBAC Implementation

const ROLE_PERMISSIONS: Record<string, string[]> = {
  admin:  ["user:read", "user:write", "user:delete", "post:read", "post:write", "post:delete"],
  editor: ["user:read", "post:read", "post:write"],
  viewer: ["user:read", "post:read"],
};

function requirePermission(permission: string) {
  return (req: Request, res: Response, next: NextFunction) => {
    const permissions = ROLE_PERMISSIONS[req.user.role] ?? [];
    if (!permissions.includes(permission)) {
      return res.status(403).json({ error: "Forbidden" });
    }
    next();
  };
}

app.delete("/api/users/:id", requirePermission("user:delete"), deleteUser);

Password Security

Algorithm	Recommended	Memory-Hard	Notes
Argon2id	First choice	Yes	Resists GPU/ASIC attacks
bcrypt	Yes	No	Battle-tested, 72-byte limit
scrypt	Yes	Yes	Good alternative
PBKDF2	Acceptable	No	NIST approved, weaker vs GPU
SHA-256/MD5	Never	No	Not password hashing

NIST 800-63B: Favor length (12+ chars) over complexity rules. Check against breached password lists. Don't force periodic rotation unless breach suspected.

Multi-Factor Authentication

Factor	Security	Notes
TOTP (Authenticator app)	High	Offline-capable, Google Authenticator / Authy
WebAuthn/Passkeys	Highest	Phishing-resistant, hardware-backed
SMS OTP	Medium	Vulnerable to SIM swap — avoid for high-security
Hardware keys (FIDO2)	Highest	YubiKey — best for admin accounts
Backup codes	Low (fallback)	One-time use, generate 10, store hashed

Security Headers

Header	Value
Strict-Transport-Security	`max-age=63072000; includeSubDomains; preload`
Content-Security-Policy	Restrict script sources, no inline scripts
X-Content-Type-Options	`nosniff`
X-Frame-Options	`DENY`
Referrer-Policy	`strict-origin-when-cross-origin`
CORS	Whitelist specific origins, never `*` with credentials

Common Vulnerabilities

#	Vulnerability	Prevention
1	Broken authentication	MFA, strong password policy, breach detection
2	Session fixation	Regenerate session ID on login
3	JWT `alg:none` attack	Reject `none`, validate `alg` against allowlist
4	JWT secret brute force	Use RS256/ES256, strong secrets (256+ bits)
5	CSRF	SameSite cookies, CSRF tokens
6	Credential stuffing	Rate limiting, breached password check, MFA
7	Insecure password storage	Argon2id/bcrypt, never encrypt (hash instead)
8	Insecure password reset	Signed time-limited tokens, invalidate after use
9	Open redirect	Validate redirect URIs against allowlist
10	Token leakage in URL	Send tokens in headers or httpOnly cookies only
11	Privilege escalation	Server-side role checks on every request
12	OAuth redirect_uri mismatch	Exact match redirect URI validation, no wildcards
13	Timing attacks	Constant-time comparison for secrets

NEVER Do

#	Rule	Why
1	NEVER store passwords in plaintext or reversible encryption	One breach exposes every user
2	NEVER put tokens in URLs or query parameters	Logged by servers, proxies, referrer headers
3	NEVER use `alg: none` or allow algorithm switching in JWTs	Attacker forges tokens
4	NEVER trust client-side role/permission claims	Users can modify any client-side value
5	NEVER use MD5, SHA-1, or plain SHA-256 for password hashing	No salt, no work factor — cracked in seconds
6	NEVER skip HTTPS in production	Tokens and credentials sent in cleartext
7	NEVER log tokens, passwords, or secrets	Logs are broadly accessible and retained
8	NEVER use long-lived tokens without rotation	A single leak grants indefinite access
9	NEVER implement your own crypto	Use established libraries — jose, bcrypt, passport
10	NEVER return different errors for "user not found" vs "wrong password"	Enables user enumeration

Source: https://github.com/MadAppGang/claude-code#plugins~dev~skills~backend~auth-patterns

Content curated from original sources, copyright belongs to authors

Grade S

9.1AI Score

Best Practices

Checking...

Try this Skill

User Rating

USER RATING

0UP

0DOWN

Loading files...

WORKS WITH

Claude

Codex

Gemini