epic-auth_skill

This skill guides Epic Stack authentication, sessions, OAuth, 2FA, and passkeys to secure sign-in and account management.

3

GitHub Stars

1

Bundled Files

2 months ago

Catalog Refreshed

4 months ago

First Indexed

Readme & install

Copy the install command, review bundled files from the catalogue, and read any extended description pulled from the listing source.

Installation

Preview and clipboard use veilstrat where the catalogue uses aiagentskills.

npx veilstrat add skill rubenpenap/epic-stack-agent-skills --skill epic-auth

  • SKILL.md18.6 KB

Overview

This skill guides implementation of authentication, sessions, OAuth, 2FA, passkeys, email verification, and password reset for Epic Stack applications. It presents practical patterns for cookie-based sessions, WebAuthn passkeys, TOTP 2FA, and OAuth provider integration. The guidance emphasizes least-privilege sessions and fail-fast validation to keep flows secure and predictable.

How this skill works

The skill describes server- and client-side helpers to get and require the current user, create and commit cookie-backed sessions stored in the database, and route users through login, signup, and onboarding. It shows how to wire remix-auth OAuth strategies, generate and verify WebAuthn options and responses, and implement TOTP-based 2FA and email-based verification flows. Each flow includes session handling logic that either completes login or routes a user into a verification step before granting a full session.

When to use it

  • Implement standard email/password login, signup, logout, and session management.
  • Add OAuth sign-in via providers like GitHub or Google and link provider accounts.
  • Enable passkeys/WebAuthn authentication for phishing-resistant logins.
  • Require two-factor authentication (TOTP) for high-risk accounts or actions.
  • Send email verification and implement secure password reset flows.

Best practices

  • Store minimal data in sessions (userId and session id); fetch roles/permissions from the database when needed.
  • Validate input and authentication early (fail-fast) to avoid unnecessary work and leaks.
  • Use signed, httpOnly, secure cookies with sameSite configured; rotate SESSION_SECRET when needed.
  • Keep WebAuthn challenges server-side in short-lived cookies and verify counters on each authentication.
  • Treat 2FA as an additional verification layer: save unverified sessions and complete only after successful TOTP check.

Example use cases

  • Secure an app with email/password login that escalates to TOTP when enabled for the user.
  • Add GitHub OAuth to let users sign up and link existing accounts by email.
  • Implement passkey login: generate authentication options, verify responses, update credential counters, then create session.
  • Send time-limited email verification codes for onboarding or password reset flows.
  • Protect sensitive routes by requiring requireUserId and permission checks at loader entry points.

FAQ

No. Store only minimal identifiers in the session and query permissions from the database to keep sessions small and avoid stale privileges.

How do I handle users with 2FA during login?

Create an unverified session, store its id in a short-lived verify session, redirect to a TOTP verification page, and only commit the auth session after successful verification.

Built by
VeilStrat
AI signals for GTM teams
© 2026 VeilStrat. All rights reserved.All systems operational
epic-auth skill by rubenpenap/epic-stack-agent-skills | VeilStrat