// Provides authoritative security patterns for implementing authentication and authorization systems based on OWASP, RFC standards, and industry best practices.
[HINT] Download the complete skill directory including SKILL.md and all related files
| name | auth-patterns |
| description | Provides authoritative security patterns for implementing authentication and authorization systems based on OWASP, RFC standards, and industry best practices. |
Authoritative security patterns for implementing authentication and authorization systems. Based on OWASP, RFC standards, and industry best practices.
Sources: OWASP Cheat Sheets, RFC 7519 (JWT), RFC 8725 (JWT BCP), RFC 6749 (OAuth 2.0), OpenID Connect Core 1.0
Header.Payload.Signature - URL-safe, digitally signed claims transferred between parties.
alg: "none", enforce cryptographic validationexp (expiration), aud (audience), iss (issuer) are mandatory// Signing with RS256 (asymmetric preferred over HS256)
const payload = { userId: user.id, exp: Math.floor(Date.now() / 1000) + 900 }; // 15min
const token = jwt.sign(payload, privateKey, { algorithm: 'RS256', issuer: 'app', audience: 'users' });
// Verification
const decoded = jwt.verify(token, publicKey, { issuer: 'app', audience: 'users' });
For comprehensive JWT guidance: See references/jwt-best-practices.md for signing algorithms (RS256, ES256, HS256), token storage strategies, refresh patterns, revocation techniques, and vulnerability mitigations.
jti claim for granular revocationAuthorization framework for third-party limited access. Four roles: resource owner, client, authorization server, resource server.
Identity layer on OAuth 2.0. Adds ID Token (JWT) with user authentication info and UserInfo endpoint.
1. Generate code_verifier (43-128 chars), code_challenge = SHA256(verifier)
2. Redirect to /authorize with client_id, redirect_uri, code_challenge, state
3. User authorizes, receives authorization code
4. Exchange code + code_verifier for tokens at /token endpoint
5. Receive access_token, refresh_token, id_token (OIDC)
PKCE critical for public clients (SPAs, mobile) - prevents authorization code interception.
For detailed OAuth implementation: See references/oauth-flows.md for complete step-by-step PKCE flow, state parameter CSRF protection, redirect URI validation, scope management, client credentials flow, OpenID Connect ID token validation, and security best practices.
import bcrypt from 'bcrypt';
const hash = await bcrypt.hash(password, 12); // 12+ rounds (13-14 for 2026)
const valid = await bcrypt.compare(password, hash);
For in-depth password security: See references/owasp-auth.md for Argon2id vs bcrypt comparison, password policy guidelines, breach database integration, session management, account lockout strategies, MFA implementation (TOTP, WebAuthn), and common authentication vulnerabilities.
For complete MFA implementation: See references/owasp-auth.md for TOTP enrollment and verification code examples, WebAuthn/FIDO2 registration and authentication flows, recovery code generation, and MFA factor categories.
res.cookie('__Host-session', token, {
httpOnly: true, // Prevents XSS access
secure: true, // HTTPS only
sameSite: 'strict', // CSRF protection (use 'lax' if external links needed)
maxAge: 3600000, // 1 hour
path: '/'
});
Cookie prefix __Host- enforces secure, path=/, no domain (prevents subdomain attacks).
For detailed session security: See references/owasp-auth.md for session ID generation with cryptographic randomness, session lifecycle management (creation, regeneration, validation), cookie security prefixes (__Host- vs __Secure-), and session fixation attack prevention.
interface Permission { resource: string; action: string; }
const roles = {
admin: [{ resource: '*', action: '*' }],
editor: [{ resource: 'posts', action: 'write' }],
viewer: [{ resource: 'posts', action: 'read' }]
};
// Middleware
function requirePermission(resource: string, action: string) {
return (req, res, next) => {
const hasAccess = req.user.roles.some(r =>
roles[r].some(p => (p.resource === '*' || p.resource === resource) &&
(p.action === '*' || p.action === action))
);
if (!hasAccess) return res.status(403).json({ error: 'Forbidden' });
next();
};
}
Code templates for this domain (in templates/):
guard.ts.template — Route protection and authorization guards