Skills
skills/patricio0312rev/skills/auth-module-builder

auth-module-builder

SKILL.md

Auth Module Builder

Implement secure, production-ready authentication systems.

Core Components

Routes: POST /login, /register, /logout, /refresh, /forgot-password Middleware: authenticate, requireAuth, optionalAuth Security: bcrypt hashing, JWT signing, secure cookies, CSRF tokens Session: Redis/DB storage, expiration, refresh tokens Threats: Document common attacks and mitigations

JWT Pattern

// Generate tokens
const accessToken = jwt.sign(
  { userId: user.id, email: user.email },
  process.env.JWT_SECRET,
  { expiresIn: "15m" }
);

const refreshToken = jwt.sign(
  { userId: user.id, type: "refresh" },
  process.env.JWT_REFRESH_SECRET,
  { expiresIn: "7d" }
);

// Verify middleware
export const authenticate = async (req, res, next) => {
  const token = req.headers.authorization?.split(" ")[1];
  if (!token) return res.status(401).json({ error: "No token" });

  try {
    const decoded = jwt.verify(token, process.env.JWT_SECRET);
    req.user = await User.findById(decoded.userId);
    next();
  } catch (err) {
    res.status(401).json({ error: "Invalid token" });
  }
};

Session Pattern

// Express session with Redis
app.use(
  session({
    store: new RedisStore({ client: redisClient }),
    secret: process.env.SESSION_SECRET,
    resave: false,
    saveUninitialized: false,
    cookie: {
      secure: process.env.NODE_ENV === "production",
      httpOnly: true,
      maxAge: 1000 * 60 * 60 * 24 * 7, // 7 days
      sameSite: "lax",
    },
  })
);

Password Security

import bcrypt from "bcrypt";

// Hash password
const hashedPassword = await bcrypt.hash(password, 10);

// Verify password
const isValid = await bcrypt.compare(password, user.hashedPassword);

Security Checklist

  • Passwords hashed with bcrypt (cost ≥10)
  • JWT secrets from environment, rotated regularly
  • HTTPS only in production
  • httpOnly, secure cookies
  • CSRF protection enabled
  • Rate limiting on auth routes
  • Account lockout after failed attempts
  • Password reset tokens expire
  • Email verification for new accounts

Threat Model

Brute Force: Rate limit + account lockout Token Theft: Short expiry, httpOnly cookies, HTTPS only CSRF: SameSite cookies + CSRF tokens Session Fixation: Regenerate session ID on login XSS: Sanitize inputs, CSP headers

Weekly Installs
10
Repository
patricio0312rev/skills
First Seen
10 days ago
Installed on
claude-code8
gemini-cli7
antigravity7
windsurf7
github-copilot7
codex7