원클릭으로
authentication-patterns
Auth flows: JWT, OAuth, sessions, tokens, password handling, 2FA, SSO
Codex 또는 Claude로 설치 이 Prompt를 복사해 Codex, Claude 또는 다른 어시스턴트에 붙여 넣으면 Skill 페이지를 검토하고 설치를 진행할 수 있습니다.
메뉴
Auth flows: JWT, OAuth, sessions, tokens, password handling, 2FA, SSO
Codex 또는 Claude로 설치 이 Prompt를 복사해 Codex, Claude 또는 다른 어시스턴트에 붙여 넣으면 Skill 페이지를 검토하고 설치를 진행할 수 있습니다.
SOC 직업 분류 기준
Bun runtime: HTTP server, file I/O, SQLite, test runner, package manager, bundler — all-in-one JS toolchain.
Clerk: Drop-in auth UI, Organizations, User management, JWT templates, webhooks, Next.js middleware integration.
Gelişmiş masaüstü, tarayıcı ve işletim sistemi kontrol yeteneği. Görsel (koordinat tabanlı) fare/klavye otomasyonu, DOM manipülasyonu, pencere yönetimi, gelişmiş dosya, ağ ve süreç yönetimini kapsar.
Drizzle ORM: Schema definition, type-safe queries, migrations, relations, Postgres/SQLite/MySQL support.
Expo Router v3: File-based navigation, layouts, tabs, modals, deep linking, API routes, typed routes.
Flutter ile oyun geliştirme (Flame Engine vb.) ve karmaşık, büyük ölçekli mimariler kurma rehberi.
| name | authentication-patterns |
| description | Auth flows: JWT, OAuth, sessions, tokens, password handling, 2FA, SSO |
| triggers | {"extensions":[".ts",".tsx"],"directories":["auth/","middleware/"],"keywords":["auth","jwt","session","login","oauth","password","token","2fa"]} |
| auto_load_when | Building auth flows or middleware |
| agent | security-officer |
| tools | ["Read","Write","Bash"] |
Focus: Auth strategy selection, implementation patterns, security
Choose session when:
├── Server-rendered app (SSR)
├── Simple deployment (stateless)
└── Session store available (Redis)
Choose JWT when:
├── APIs, SPAs, mobile apps
├── Need stateless scaling
└── Cross-domain requirements
Choose OAuth/SSO when:
├── Social login needed
├── Enterprise SSO required
└── Identity delegation
Token structure:
├── Header: alg, typ
├── Payload: iss, sub, aud, exp, iat, claims
└── Signature: HMAC or RSA
Token types:
├── Access token: short-lived (15min-1hr)
├── Refresh token: long-lived (days-weeks)
└── ID token: identity claims only
Storage decisions:
├── Access: memory (JS only)
├── Refresh: httpOnly cookie
└── NEVER: localStorage (XSS vulnerable)
Never store plain text. Use:
├── Argon2id: best (memory-hard)
├── bcrypt: good, widely supported
└── scrypt: alternative
Validation requirements:
├── Minimum length (8+)
├── Complexity: mixed case, numbers, symbols
└── Check against known breaches (HaveIBeenPwned)
Auth flow:
1. Client sends plaintext
2. Server hashes + compare
3. Issue tokens on success
4. Log failed attempts
Authorization Code (web):
├── Redirect to auth server
├── Receive code via redirect
├── Exchange code for tokens
└── PKCE for public clients
Implicit (deprecated):
├── DO NOT USE
└── Tokens in URL, security risk
Client Credentials (M2M):
├── No user context
├── Service-to-service
└── Server-to-server
Device Code (IoT):
├── User authorizes on separate device
└── Poll for completion
TOTP (time-based):
├── Google Authenticator, Authy
├── 30-second rotating codes
└── 6-digit, easy UX
SMS (less secure):
├── Vulnerable to SIM swap
├── Phone number required
└── Use as fallback only
WebAuthn (passwordless):
├── Biometric or hardware key
├── Most secure
└── Cross-device support varies
When to require 2FA:
├── High-value actions (payments, settings)
├── Sensitive accounts
└── After suspicious activity
Session store:
├── Redis: fast, scalable
├── Database: simple, slower
└── In-memory: single server only
Session data:
├── User ID, creation time
├── Last activity
└── Device/browser info
Security:
├── Secure, httpOnly cookie
├── SameSite=strict/lax
├── Rotate on login
└── Expire inactive sessions
❌ Rolling your own auth from scratch
✅ Use battle-tested library (NextAuth, Auth.js, Clerk, Supabase Auth)
❌ Storing JWT in localStorage (XSS vulnerable)
✅ HttpOnly, Secure, SameSite=Strict cookies
❌ No refresh token rotation
✅ Rotate refresh token on every use; invalidate old on rotation
❌ Weak password policy (4 chars allowed)
✅ Min 12 chars, check against breached password DB (HaveIBeenPwned)
❌ Not expiring sessions on logout
✅ Invalidate session server-side on logout (blocklist or token version)
| Flow | Library | Note |
|---|---|---|
| OAuth 2.0 | Auth.js / NextAuth | Social login |
| Email/password | Lucia / better-auth | Full control |
| Passkeys | SimpleWebAuthn | FIDO2 |
| JWT | jose | RS256, not HS256 |
| MFA | speakeasy (TOTP) | Backup codes required |
| Session | iron-session | Encrypted cookie |