- Home
- Skills
- Harperaa
- Secure Claude Skills
- Auth Authorization
auth-authorization_skill
- JavaScript
4
GitHub Stars
5
Bundled Files
2 months ago
Catalog Refreshed
4 months ago
First Indexed
Readme & install
Copy the install command, review bundled files from the catalogue, and read any extended description pulled from the listing source.
Installation
Preview and clipboard use veilstrat where the catalogue uses aiagentskills.
npx veilstrat add skill harperaa/secure-claude-skills --skill auth-authorization- 01_rbac_implementation.md3.9 KB
- 02_permissions.md3.6 KB
- 03_ownership.md2.6 KB
- 04_auth_testing.md3.7 KB
- SKILL.md13.6 KB
Overview
This skill provides ready-to-use authentication and authorization prompt templates for implementing RBAC, granular permissions, ownership checks, and authorization testing. It accelerates building secure access controls with Clerk integration patterns and practical code snippets. Use it to define roles, enforce server-side checks, and validate authorization flows across your app.
How this skill works
Templates describe implementation steps, code examples, and test scenarios. They cover storing roles and permissions in Clerk publicMetadata, middleware and server-side enforcement, ownership verification, and an authorization test suite. Each template includes trigger keywords, estimated time, and a recommended implementation order. Use the templates as blueprints and replace placeholders with your roles, permissions, and resources.
When to use it
- Setting up initial role-based access control (user, premium, admin)
- Adding fine-grained permissions or resource-level access
- Protecting user-specific resources with ownership checks
- Building an automated authorization test suite for CI/CD
- Enforcing server-side authorization after introducing Clerk authentication
Best practices
- Always perform authorization checks on the server; never trust client-side UI logic alone
- Use a default-deny model: require explicit role or permission to allow access
- Store role and permission data in server-trusted session claims (e.g., Clerk publicMetadata)
- Log and audit authorization failures to detect suspicious activity and privilege escalation attempts
- Write negative tests (unauthorized, cross-user access, invalid roles) alongside positive tests
Example use cases
- SaaS tiering: assign roles via billing webhooks and restrict premium features to paid users
- Blog platform: enforce admin-only post management and allow users to edit only their own content
- Team collaboration tool: implement permission groups, resource-level permissions, and owner/delegate patterns
- Profile management: verify ownership when updating user profiles and prevent horizontal escalation
- CI pipeline: run authorization test suite to validate role and permission changes before deploy
FAQ
No. Authentication (who you are) should be handled by Clerk. These templates focus on authorization (what the user can do) and integrate with Clerk session claims.
Where should role and permission checks run?
Always enforce checks on the server. Use middleware and endpoint-level validation reading trusted session claims rather than client-submitted data.