auth-authorization_skill

This skill helps you implement secure access control with RBAC, ownership checks, permissions, and testing templates for robust authorization.
  • JavaScript

4

GitHub Stars

5

Bundled Files

2 months ago

Catalog Refreshed

4 months ago

First Indexed

Readme & install

Copy the install command, review bundled files from the catalogue, and read any extended description pulled from the listing source.

Installation

Preview and clipboard use veilstrat where the catalogue uses aiagentskills.

npx veilstrat add skill harperaa/secure-claude-skills --skill auth-authorization

  • 01_rbac_implementation.md3.9 KB
  • 02_permissions.md3.6 KB
  • 03_ownership.md2.6 KB
  • 04_auth_testing.md3.7 KB
  • SKILL.md13.6 KB

Overview

This skill provides ready-to-use authentication and authorization prompt templates for implementing RBAC, granular permissions, ownership checks, and authorization testing. It accelerates building secure access controls with Clerk integration patterns and practical code snippets. Use it to define roles, enforce server-side checks, and validate authorization flows across your app.

How this skill works

Templates describe implementation steps, code examples, and test scenarios. They cover storing roles and permissions in Clerk publicMetadata, middleware and server-side enforcement, ownership verification, and an authorization test suite. Each template includes trigger keywords, estimated time, and a recommended implementation order. Use the templates as blueprints and replace placeholders with your roles, permissions, and resources.

When to use it

  • Setting up initial role-based access control (user, premium, admin)
  • Adding fine-grained permissions or resource-level access
  • Protecting user-specific resources with ownership checks
  • Building an automated authorization test suite for CI/CD
  • Enforcing server-side authorization after introducing Clerk authentication

Best practices

  • Always perform authorization checks on the server; never trust client-side UI logic alone
  • Use a default-deny model: require explicit role or permission to allow access
  • Store role and permission data in server-trusted session claims (e.g., Clerk publicMetadata)
  • Log and audit authorization failures to detect suspicious activity and privilege escalation attempts
  • Write negative tests (unauthorized, cross-user access, invalid roles) alongside positive tests

Example use cases

  • SaaS tiering: assign roles via billing webhooks and restrict premium features to paid users
  • Blog platform: enforce admin-only post management and allow users to edit only their own content
  • Team collaboration tool: implement permission groups, resource-level permissions, and owner/delegate patterns
  • Profile management: verify ownership when updating user profiles and prevent horizontal escalation
  • CI pipeline: run authorization test suite to validate role and permission changes before deploy

FAQ

No. Authentication (who you are) should be handled by Clerk. These templates focus on authorization (what the user can do) and integrate with Clerk session claims.

Where should role and permission checks run?

Always enforce checks on the server. Use middleware and endpoint-level validation reading trusted session claims rather than client-submitted data.

Built by
VeilStrat
AI signals for GTM teams
© 2026 VeilStrat. All rights reserved.All systems operational