auth-implementation-patterns_skill

This skill helps you master authentication and authorization patterns for secure, scalable APIs, including token flows, RBAC, OAuth2, and session management.
  • Python

20

GitHub Stars

1

Bundled Files

2 months ago

Catalog Refreshed

4 months ago

First Indexed

Readme & install

Copy the install command, review bundled files from the catalogue, and read any extended description pulled from the listing source.

Installation

Preview and clipboard use veilstrat where the catalogue uses aiagentskills.

npx veilstrat add skill nilecui/skillsbase --skill auth-implementation-patterns

  • SKILL.md17.3 KB

Overview

This skill teaches practical authentication and authorization implementation patterns for building secure, scalable access control systems. It covers JWTs, refresh token flows, session management, OAuth2/social login, RBAC, permission checks, and resource ownership patterns. Use it to design, implement, or debug authentication and authorization in web and API backends.

How this skill works

The skill explains core strategies: session-based stateful auth, token-based JWT auth with refresh tokens, and delegated auth via OAuth2/OpenID Connect. It details middleware patterns for verifying credentials, issuing and rotating tokens, storing hashed refresh tokens, and enforcing authorization with roles, permissions, and ownership checks. Security hardening topics include cookie settings, password hashing, token expiry, and revocation flows.

When to use it

  • Implementing user login, logout, and session lifecycle for web apps
  • Securing REST or GraphQL APIs with short-lived access tokens and refresh tokens
  • Adding social login or enterprise SSO via OAuth2/OpenID Connect
  • Designing RBAC or permission-based authorization for multi-role systems
  • Implementing resource ownership checks for user-scoped data
  • Migrating or debugging authentication and token revocation issues

Best practices

  • Use short-lived access tokens and rotate refresh tokens stored as hashes in a database
  • Set cookies with secure, httpOnly, and sameSite flags for session auth
  • Hash passwords with a strong algorithm (bcrypt/argon2) and enforce a strong password policy
  • Validate and handle JWT errors explicitly (expired vs invalid) and fail closed on verification errors
  • Use least privilege: implement role hierarchy or permission sets instead of broad admin rights
  • Provide endpoints for token refresh, logout (revoke single token), and logout-all (revoke all user tokens)

Example use cases

  • Protecting API endpoints with an authenticate middleware that attaches user claims from a verified JWT
  • Implementing a refresh token service that verifies, hashes, and revokes refresh tokens stored in Redis or a database
  • Using Redis-backed sessions for server-side session management on web applications requiring immediate revocation
  • Integrating Google or GitHub OAuth2 to support social login and issue application JWTs on callback
  • Applying requireRole or requirePermission middleware to restrict administrative routes
  • Checking resource ownership before allowing updates or deletes to user-owned resources

FAQ

Use sessions when you need server-side revocation and simpler CSRF protection; use JWTs for stateless, horizontally scalable APIs where token verification without central state is desirable.

How should I store refresh tokens?

Store refresh tokens as securely hashed values in a database with expiration metadata and support for revocation; never store raw tokens in plaintext.

Built by
VeilStrat
AI signals for GTM teams
© 2026 VeilStrat. All rights reserved.All systems operational