一键导入
check-rico-auth
Verify Rico Hunt authentication rules. Check JWT cookie usage, signup role enforcement, protected route isolation, and no request body user_id.
用 Codex 或 Claude 帮你安装 复制这段 Prompt,粘贴到 Codex、Claude 或其他助手里,让它检查 Skill 页面并帮你完成安装。
菜单
Verify Rico Hunt authentication rules. Check JWT cookie usage, signup role enforcement, protected route isolation, and no request body user_id.
用 Codex 或 Claude 帮你安装 复制这段 Prompt,粘贴到 Codex、Claude 或其他助手里,让它检查 Skill 页面并帮你完成安装。
基于 SOC 职业分类
| name | check-rico-auth |
| description | Verify Rico Hunt authentication rules. Check JWT cookie usage, signup role enforcement, protected route isolation, and no request body user_id. |
| triggers | ["user","model"] |
| allowed-tools | ["read","grep","exec"] |
Verify Rico Hunt authentication rules. This skill is read-only and inspects code plus environment to confirm auth safety.
role="user" and never creates admin accounts from public request body.user_id.httpOnly cookie with correct secure settings.GET /api/v1/me returns the current user.tests/test_jwt_user_isolation.py passes.# Signup forces role=user
grep -n "role=\"user\"\|role=\"admin\"\|request.role" src/api/auth.py
# Protected routes use get_current_user from deps
grep -n "get_current_user\|current_user:" src/api/routers/*.py src/api/deps.py
# No request-body user_id for identity
grep -n "user_id" src/api/routers/*.py | grep -v "get_current_user"
# JWT cookie config
grep -n "httpOnly\|secure\|samesite\|JWT_TTL_HOURS\|JWT_SECRET" src/api/auth.py src/api/deps.py
python -m pytest tests/test_jwt_user_isolation.py -q
src/api/auth.py — register, login, logout, forgot/reset password, /mesrc/api/deps.py — get_current_user, JWT dependenciessrc/api/admin_guard.py — admin route guardtests/test_jwt_user_isolation.py — auth isolation testsget_current_user() by reading user_id from request bodies.Accessibility audit for Rico Hunt. Run contrast checks and review alt text, focus states, ARIA labels, and keyboard navigation in frontend code.
Read-only audit of Rico Hunt AI provider routing. Verify RICO_AI_PROVIDER env var, fallback chain, and provider health without calling live AI APIs.
Verify Rico Hunt chat flow. Inspect public chat session isolation, rate limits, authenticated chat routing, and public session prefixing.
Read-only database health check for Rico Hunt. Verify DATABASE_URL connectivity, key tables, and row counts without exposing user data or mutating anything.
Verify Rico Hunt required environment variables are set without exposing values. Check backend, frontend, and admin/dev env vars.
Read-only verification of Rico Hunt job fetching and scoring. Inspect JSearch adapter, provider fallback, and scoring pipeline without calling live APIs.