بنقرة واحدة
authentication-patterns
Auth flows: JWT, OAuth, sessions, tokens, password handling, 2FA, SSO
التثبيت باستخدام Codex أو Claude انسخ هذا Prompt والصقه في Codex أو Claude أو مساعد آخر ليراجع صفحة Skill ويثبّتها لك.
القائمة
Auth flows: JWT, OAuth, sessions, tokens, password handling, 2FA, SSO
التثبيت باستخدام Codex أو Claude انسخ هذا Prompt والصقه في Codex أو Claude أو مساعد آخر ليراجع صفحة Skill ويثبّتها لك.
استنادا إلى تصنيف SOC المهني
Bun runtime: HTTP server, file I/O, SQLite, test runner, package manager, bundler — all-in-one JS toolchain.
Clerk: Drop-in auth UI, Organizations, User management, JWT templates, webhooks, Next.js middleware integration.
Gelişmiş masaüstü, tarayıcı ve işletim sistemi kontrol yeteneği. Görsel (koordinat tabanlı) fare/klavye otomasyonu, DOM manipülasyonu, pencere yönetimi, gelişmiş dosya, ağ ve süreç yönetimini kapsar.
Drizzle ORM: Schema definition, type-safe queries, migrations, relations, Postgres/SQLite/MySQL support.
Expo Router v3: File-based navigation, layouts, tabs, modals, deep linking, API routes, typed routes.
Flutter ile oyun geliştirme (Flame Engine vb.) ve karmaşık, büyük ölçekli mimariler kurma rehberi.
| name | authentication-patterns |
| description | Auth flows: JWT, OAuth, sessions, tokens, password handling, 2FA, SSO |
| triggers | {"extensions":[".ts",".tsx"],"directories":["auth/","middleware/"],"keywords":["auth","jwt","session","login","oauth","password","token","2fa"]} |
| auto_load_when | Building auth flows or middleware |
| agent | security-officer |
| tools | ["Read","Write","Bash"] |
Focus: Auth strategy selection, implementation patterns, security
Choose session when:
├── Server-rendered app (SSR)
├── Simple deployment (stateless)
└── Session store available (Redis)
Choose JWT when:
├── APIs, SPAs, mobile apps
├── Need stateless scaling
└── Cross-domain requirements
Choose OAuth/SSO when:
├── Social login needed
├── Enterprise SSO required
└── Identity delegation
Token structure:
├── Header: alg, typ
├── Payload: iss, sub, aud, exp, iat, claims
└── Signature: HMAC or RSA
Token types:
├── Access token: short-lived (15min-1hr)
├── Refresh token: long-lived (days-weeks)
└── ID token: identity claims only
Storage decisions:
├── Access: memory (JS only)
├── Refresh: httpOnly cookie
└── NEVER: localStorage (XSS vulnerable)
Never store plain text. Use:
├── Argon2id: best (memory-hard)
├── bcrypt: good, widely supported
└── scrypt: alternative
Validation requirements:
├── Minimum length (8+)
├── Complexity: mixed case, numbers, symbols
└── Check against known breaches (HaveIBeenPwned)
Auth flow:
1. Client sends plaintext
2. Server hashes + compare
3. Issue tokens on success
4. Log failed attempts
Authorization Code (web):
├── Redirect to auth server
├── Receive code via redirect
├── Exchange code for tokens
└── PKCE for public clients
Implicit (deprecated):
├── DO NOT USE
└── Tokens in URL, security risk
Client Credentials (M2M):
├── No user context
├── Service-to-service
└── Server-to-server
Device Code (IoT):
├── User authorizes on separate device
└── Poll for completion
TOTP (time-based):
├── Google Authenticator, Authy
├── 30-second rotating codes
└── 6-digit, easy UX
SMS (less secure):
├── Vulnerable to SIM swap
├── Phone number required
└── Use as fallback only
WebAuthn (passwordless):
├── Biometric or hardware key
├── Most secure
└── Cross-device support varies
When to require 2FA:
├── High-value actions (payments, settings)
├── Sensitive accounts
└── After suspicious activity
Session store:
├── Redis: fast, scalable
├── Database: simple, slower
└── In-memory: single server only
Session data:
├── User ID, creation time
├── Last activity
└── Device/browser info
Security:
├── Secure, httpOnly cookie
├── SameSite=strict/lax
├── Rotate on login
└── Expire inactive sessions
❌ Rolling your own auth from scratch
✅ Use battle-tested library (NextAuth, Auth.js, Clerk, Supabase Auth)
❌ Storing JWT in localStorage (XSS vulnerable)
✅ HttpOnly, Secure, SameSite=Strict cookies
❌ No refresh token rotation
✅ Rotate refresh token on every use; invalidate old on rotation
❌ Weak password policy (4 chars allowed)
✅ Min 12 chars, check against breached password DB (HaveIBeenPwned)
❌ Not expiring sessions on logout
✅ Invalidate session server-side on logout (blocklist or token version)
| Flow | Library | Note |
|---|---|---|
| OAuth 2.0 | Auth.js / NextAuth | Social login |
| Email/password | Lucia / better-auth | Full control |
| Passkeys | SimpleWebAuthn | FIDO2 |
| JWT | jose | RS256, not HS256 |
| MFA | speakeasy (TOTP) | Backup codes required |
| Session | iron-session | Encrypted cookie |