auth-and-authorization-patterns
Auth & Authorization Patterns
Authentication (who are you?):
- Use a battle-tested library — do not roll your own crypto.
- Hash passwords with bcrypt/argon2; never MD5/SHA1 for passwords.
- Use short-lived JWTs (15–60 min) with refresh tokens; store refresh tokens securely.
- Implement MFA for sensitive operations.
Authorization (what can you do?):
- Check authorization on every request, not just at login.
- Enforce RBAC or ABAC at the service layer, not the UI.
- Apply principle of least privilege: grant minimal permissions needed.
OAuth2 / OIDC:
- Use the Authorization Code flow with PKCE for user-facing apps.
- Validate
iss,aud,exp, andnonceclaims on every token.
Session management:
- Regenerate session ID after login (session fixation prevention).
- Set
HttpOnlyandSecureflags on session cookies.
More from aiming-lab/metaclaw
structured-step-by-step-reasoning
Use this skill for any problem that involves multiple steps, tradeoffs, or non-trivial logic. Think out loud before answering to improve accuracy and transparency. Apply whenever the answer is not immediately obvious.
13avoid-hallucinating-specifics
Common mistake — stating specific facts (API endpoints, library versions, config options, function signatures) with false confidence when uncertain. Always flag uncertainty rather than guessing specifics.
12codebase-navigation
Use this skill when exploring an unfamiliar codebase, tracing code paths, or answering questions about how the system works. Read before writing, and build a mental model of the architecture before making changes.
12graceful-error-recovery
Use this skill when a tool call, command, or API request fails. Diagnose the root cause systematically before retrying or changing approach. Do not retry the same failing call without first understanding why it failed.
11uncertainty-acknowledgment
Use this skill when you are not sure about a fact, have outdated knowledge, or the question is contested. Explicitly communicate the level of confidence instead of asserting uncertain things as fact.
11secure-code-review
Use this skill when reviewing or writing code that handles user input, authentication, file I/O, network requests, or database queries. Always check for common security vulnerabilities before considering the code complete.
10