| name | auth |
| description | Authentication and authorization patterns including OAuth2, JWT, RBAC/ABAC, session management, API keys, password hashing, and MFA. Use when implementing login, access control, identity management, tokens, permissions, or security features. |
Authentication & Authorization
Overview
This skill covers comprehensive authentication and authorization strategies for modern applications. It includes identity verification (authentication), access control (authorization), and secure credential management across web, mobile, and API contexts.
Key Concepts
OAuth2 Flows
Authorization Code Flow - Best for server-side applications:
const authUrl = new URL("https://auth.example.com/authorize");
authUrl.searchParams.set("response_type", "code");
authUrl.searchParams.set("client_id", CLIENT_ID);
authUrl.searchParams.set("redirect_uri", REDIRECT_URI);
authUrl.searchParams.set("scope", "openid profile email");
authUrl.searchParams.set("state", generateSecureState());
async function exchangeCode(code: string): Promise<TokenResponse> {
const response = await fetch("https://auth.example.com/token", {
method: "POST",
headers: { "Content-Type": "application/x-www-form-urlencoded" },
body: new URLSearchParams({
grant_type: "authorization_code",
code,
client_id: CLIENT_ID,
client_secret: CLIENT_SECRET,
redirect_uri: REDIRECT_URI,
}),
});
return response.json();
}
PKCE Flow - Required for public clients (SPAs, mobile apps):
function generatePKCE(): { verifier: string; challenge: string } {
const verifier = base64UrlEncode(crypto.getRandomValues(new Uint8Array(32)));
const challenge = base64UrlEncode(
await crypto.subtle.digest("SHA-256", new TextEncoder().encode(verifier)),
);
return { verifier, challenge };
}
authUrl.searchParams.set("code_challenge", challenge);
authUrl.searchParams.set("code_challenge_method", "S256");
body.set("code_verifier", verifier);
Client Credentials Flow - For service-to-service communication:
async function getServiceToken(): Promise<string> {
const response = await fetch("https://auth.example.com/token", {
method: "POST",
headers: {
"Content-Type": "application/x-www-form-urlencoded",
Authorization: `Basic ${btoa(`${CLIENT_ID}:${CLIENT_SECRET}`)}`,
},
body: new URLSearchParams({
grant_type: "client_credentials",
scope: "api:read api:write",
}),
});
return (await response.json()).access_token;
}
JWT Handling
Token Structure and Signing:
import jwt from "jsonwebtoken";
interface TokenPayload {
sub: string;
iss: string;
aud: string;
exp: number;
iat: number;
roles: string[];
}
function signToken(payload: Omit<TokenPayload, "iat" | "exp">): string {
return jwt.sign(
{ ...payload, iat: Math.floor(Date.now() / 1000) },
PRIVATE_KEY,
{
algorithm: "RS256",
expiresIn: "15m",
issuer: "https://api.example.com",
audience: "https://app.example.com",
},
);
}
function verifyToken(token: string): TokenPayload {
return jwt.verify(token, PUBLIC_KEY, {
algorithms: ["RS256"],
issuer: "https://api.example.com",
audience: "https://app.example.com",
}) as TokenPayload;
}
Refresh Token Pattern:
interface TokenPair {
accessToken: string;
refreshToken: string;
}
async function refreshTokens(refreshToken: string): Promise<TokenPair> {
const storedToken = await db.refreshTokens.findUnique({
where: { token: hashToken(refreshToken) },
});
if (!storedToken || storedToken.expiresAt < new Date()) {
throw new UnauthorizedError("Invalid refresh token");
}
await db.refreshTokens.delete({ where: { id: storedToken.id } });
const newRefreshToken = generateSecureToken();
await db.refreshTokens.create({
data: {
token: hashToken(newRefreshToken),
userId: storedToken.userId,
expiresAt: addDays(new Date(), 7),
},
});
return {
accessToken: signToken({ sub: storedToken.userId, roles: [] }),
refreshToken: newRefreshToken,
};
}
RBAC (Role-Based Access Control)
const ROLES = {
admin: [
"users:read",
"users:write",
"users:delete",
"reports:read",
"settings:write",
],
manager: ["users:read", "users:write", "reports:read"],
user: ["users:read:own", "reports:read:own"],
} as const;
type Role = keyof typeof ROLES;
type Permission = (typeof ROLES)[Role][number];
function requirePermission(permission: Permission) {
return (req: Request, res: Response, next: NextFunction) => {
const userRoles: Role[] = req.user.roles;
const userPermissions = userRoles.flatMap((role) => ROLES[role]);
const [resource, action, scope] = permission.split(":");
const basePermission = `${resource}:${action}`;
const hasPermission =
userPermissions.includes(permission) ||
(scope === "own" && userPermissions.includes(basePermission));
if (!hasPermission) {
return res.status(403).json({ error: "Forbidden" });
}
next();
};
}
app.delete("/users/:id", requirePermission("users:delete"), deleteUser);
ABAC (Attribute-Based Access Control)
interface PolicyContext {
subject: { id: string; roles: string[]; department: string };
resource: { type: string; owner: string; classification: string };
action: string;
environment: { time: Date; ip: string };
}
type Policy = (ctx: PolicyContext) => boolean;
const policies: Policy[] = [
(ctx) => ctx.resource.owner === ctx.subject.id,
(ctx) =>
ctx.subject.roles.includes("manager") &&
ctx.resource.department === ctx.subject.department,
(ctx) => {
if (ctx.resource.classification === "confidential") {
const hour = ctx.environment.time.getHours();
return hour >= 9 && hour < 17;
}
return true;
},
];
function checkAccess(ctx: PolicyContext): boolean {
return policies.every((policy) => policy(ctx));
}
Session Management
import { Redis } from "ioredis";
const redis = new Redis();
const SESSION_TTL = 24 * 60 * 60;
interface Session {
userId: string;
createdAt: number;
lastActivity: number;
userAgent: string;
ip: string;
}
async function createSession(userId: string, req: Request): Promise<string> {
const sessionId = crypto.randomUUID();
const session: Session = {
userId,
createdAt: Date.now(),
lastActivity: Date.now(),
userAgent: req.headers["user-agent"] || "",
ip: req.ip,
};
await redis.setex(
`session:${sessionId}`,
SESSION_TTL,
JSON.stringify(session),
);
await redis.sadd(`user-sessions:${userId}`, sessionId);
return sessionId;
}
async function validateSession(sessionId: string): Promise<Session | null> {
const data = await redis.get(`session:${sessionId}`);
if (!data) return null;
const session: Session = JSON.parse(data);
session.lastActivity = Date.now();
await redis.setex(
`session:${sessionId}`,
SESSION_TTL,
JSON.stringify(session),
);
return session;
}
async function invalidateAllUserSessions(userId: string): Promise<void> {
const sessionIds = await redis.smembers(`user-sessions:${userId}`);
if (sessionIds.length > 0) {
await redis.del(...sessionIds.map((id) => `session:${id}`));
await redis.del(`user-sessions:${userId}`);
}
}
API Key Strategies
interface ApiKey {
id: string;
prefix: string;
hash: string;
name: string;
scopes: string[];
rateLimit: number;
expiresAt: Date | null;
lastUsedAt: Date | null;
}
function generateApiKey(): { key: string; prefix: string; hash: string } {
const key = `sk_live_${crypto.randomBytes(32).toString("base64url")}`;
return {
key,
prefix: key.substring(0, 16),
hash: crypto.createHash("sha256").update(key).digest("hex"),
};
}
async function validateApiKey(key: string): Promise<ApiKey> {
const hash = crypto.createHash("sha256").update(key).digest("hex");
const apiKey = await db.apiKeys.findUnique({ where: { hash } });
if (!apiKey) throw new UnauthorizedError("Invalid API key");
if (apiKey.expiresAt && apiKey.expiresAt < new Date()) {
throw new UnauthorizedError("API key expired");
}
const rateLimitKey = `ratelimit:${apiKey.id}`;
const requests = await redis.incr(rateLimitKey);
if (requests === 1) await redis.expire(rateLimitKey, 60);
if (requests > apiKey.rateLimit) {
throw new TooManyRequestsError("Rate limit exceeded");
}
db.apiKeys.update({
where: { id: apiKey.id },
data: { lastUsedAt: new Date() },
});
return apiKey;
}
Password Hashing
import argon2 from "argon2";
import bcrypt from "bcrypt";
async function hashPasswordArgon2(password: string): Promise<string> {
return argon2.hash(password, {
type: argon2.argon2id,
memoryCost: 65536,
timeCost: 3,
parallelism: 4,
});
}
async function verifyPasswordArgon2(
hash: string,
password: string,
): Promise<boolean> {
return argon2.verify(hash, password);
}
const BCRYPT_ROUNDS = 12;
async function hashPasswordBcrypt(password: string): Promise<string> {
return bcrypt.hash(password, BCRYPT_ROUNDS);
}
async function verifyPasswordBcrypt(
hash: string,
password: string,
): Promise<boolean> {
return bcrypt.compare(password, hash);
}
function validatePasswordStrength(password: string): {
valid: boolean;
errors: string[];
} {
const errors: string[] = [];
if (password.length < 12)
errors.push("Password must be at least 12 characters");
if (!/[A-Z]/.test(password))
errors.push("Password must contain uppercase letter");
if (!/[a-z]/.test(password))
errors.push("Password must contain lowercase letter");
if (!/[0-9]/.test(password)) errors.push("Password must contain number");
if (!/[^A-Za-z0-9]/.test(password))
errors.push("Password must contain special character");
return { valid: errors.length === 0, errors };
}
MFA Implementation
import { authenticator } from "otplib";
import QRCode from "qrcode";
async function setupTOTP(
userId: string,
email: string,
): Promise<{ secret: string; qrCode: string }> {
const secret = authenticator.generateSecret();
const otpauth = authenticator.keyuri(email, "MyApp", secret);
const qrCode = await QRCode.toDataURL(otpauth);
await redis.setex(`mfa-setup:${userId}`, 600, encrypt(secret));
return { secret, qrCode };
}
function verifyTOTP(secret: string, token: string): boolean {
return authenticator.verify({ token, secret });
}
function generateBackupCodes(): { codes: string[]; hashes: string[] } {
const codes = Array.from({ length: 10 }, () =>
crypto.randomBytes(4).toString("hex").toUpperCase(),
);
const hashes = codes.map((code) =>
crypto.createHash("sha256").update(code).digest("hex"),
);
return { codes, hashes };
}
async function verifyMFA(userId: string, code: string): Promise<boolean> {
const user = await db.users.findUnique({
where: { id: userId },
include: { mfaSettings: true },
});
if (!user?.mfaSettings?.enabled) return true;
if (verifyTOTP(decrypt(user.mfaSettings.totpSecret), code)) {
return true;
}
const codeHash = crypto.createHash("sha256").update(code).digest("hex");
const backupCode = user.mfaSettings.backupCodes.find(
(bc) => bc.hash === codeHash && !bc.usedAt,
);
if (backupCode) {
await db.backupCodes.update({
where: { id: backupCode.id },
data: { usedAt: new Date() },
});
return true;
}
return false;
}
Best Practices
-
Token Security
- Use short-lived access tokens (15 minutes or less)
- Store refresh tokens securely (httpOnly cookies, encrypted storage)
- Implement token rotation for refresh tokens
- Always validate token signature, expiration, issuer, and audience
-
Password Security
- Use Argon2id for new implementations
- Never store plaintext passwords
- Implement account lockout after failed attempts
- Use secure password reset flows with time-limited tokens
-
Session Security
- Regenerate session ID after authentication
- Implement absolute and idle timeouts
- Bind sessions to user agent/IP when appropriate
- Provide session management UI for users
-
API Key Security
- Hash API keys before storage
- Use prefixes for key identification
- Implement scopes and rate limiting
- Allow key rotation without downtime
-
MFA Best Practices
- Offer multiple MFA methods (TOTP, WebAuthn, SMS backup)
- Provide backup codes during setup
- Allow trusted device remembering
- Require MFA re-verification for sensitive actions
Examples
Complete Login Flow with MFA
async function login(
email: string,
password: string,
mfaCode?: string,
): Promise<AuthResponse> {
const user = await db.users.findUnique({ where: { email } });
if (!user) throw new UnauthorizedError("Invalid credentials");
if (user.lockedUntil && user.lockedUntil > new Date()) {
throw new UnauthorizedError("Account temporarily locked");
}
const validPassword = await verifyPasswordArgon2(user.passwordHash, password);
if (!validPassword) {
await incrementFailedAttempts(user.id);
throw new UnauthorizedError("Invalid credentials");
}
if (user.mfaEnabled) {
if (!mfaCode) {
return { requiresMfa: true, mfaToken: generateMfaToken(user.id) };
}
const validMfa = await verifyMFA(user.id, mfaCode);
if (!validMfa) throw new UnauthorizedError("Invalid MFA code");
}
await db.users.update({
where: { id: user.id },
data: { failedAttempts: 0, lockedUntil: null },
});
const accessToken = signToken({ sub: user.id, roles: user.roles });
const refreshToken = await createRefreshToken(user.id);
return { accessToken, refreshToken };
}
