Adoption

Agent Skills are supported by leading AI development tools.

VS Code Gemini CLI GitHub Goose Amp Cursor Claude Code Letta OpenCode Claude OpenAI Codex Factory VS Code Gemini CLI GitHub Goose Amp Cursor Claude Code Letta OpenCode Claude OpenAI Codex Factory

7a336e6e/implementing-local-auth

Name: implementing-local-auth
Author: 7a336e6e

auth/implementing-local-auth/SKILL.md

npx skillsauth add 7a336e6e/skills implementing-local-auth

Clean

TrivyContainer and dependency vulnerability scanner

Clean

SemgrepStatic code analysis for vulnerabilities

Clean

mcp-scan (Snyk)Model Context Protocol security validation

Clean

VirusTotalMulti-engine malware detection

Skipped

Snyk (dep)Open source security scanning

Skipped

Socket.devSupply chain security analysis

Skipped

CrowdStrikeAdvanced threat intelligence

Skipped

OSV-ScannerOpen Source Vulnerability database check

Skipped

OWASP Dep-Check

Implementing Local Auth

Goal

Implement a secure local authentication system with user registration, login, and password hashing using bcrypt. The system must validate inputs, enforce password policy, and return JWTs on successful authentication.

When to Use

Building a new application that needs email/password authentication.
Adding local auth alongside existing OAuth providers.
Replacing an insecure or legacy authentication system.
Any time users need to create accounts and log in with credentials they control.

Instructions

Registration Flow

The registration flow follows these steps: validate input, check uniqueness, hash password, create user, return token.

import bcrypt
from flask import Blueprint, request, jsonify
from marshmallow import Schema, fields, validate, ValidationError

auth_bp = Blueprint("auth", __name__, url_prefix="/api/v1/auth")


class RegisterSchema(Schema):
    email = fields.Email(required=True)
    password = fields.Str(
        required=True,
        validate=validate.Length(min=8),
    )
    name = fields.Str(required=True, validate=validate.Length(min=1, max=255))


def hash_password(plain: str) -> str:
    """Hash a password with bcrypt using a work factor of 12."""
    salt = bcrypt.gensalt(rounds=12)
    return bcrypt.hashpw(plain.encode("utf-8"), salt).decode("utf-8")


@auth_bp.route("/register", methods=["POST"])
def register():
    schema = RegisterSchema()
    try:
        data = schema.load(request.get_json())
    except ValidationError as err:
        return jsonify({"error": "Validation failed", "details": err.messages}), 400

    # Check uniqueness
    existing = User.query.filter_by(email=data["email"]).first()
    if existing:
        # Return generic message to avoid revealing registered emails
        return jsonify({"error": "Registration failed. Please try again."}), 400

    # Hash password and create user
    hashed = hash_password(data["password"])
    user = User(email=data["email"], password_hash=hashed, name=data["name"])
    db.session.add(user)
    db.session.commit()

    token = generate_access_token(user)
    return jsonify({"access_token": token}), 201

Login Flow

The login flow follows these steps: find user by email, verify password, generate token, return token.

class LoginSchema(Schema):
    email = fields.Email(required=True)
    password = fields.Str(required=True)


def verify_password(plain: str, hashed: str) -> bool:
    """Verify a plaintext password against a bcrypt hash."""
    return bcrypt.checkpw(plain.encode("utf-8"), hashed.encode("utf-8"))


@auth_bp.route("/login", methods=["POST"])
def login():
    schema = LoginSchema()
    try:
        data = schema.load(request.get_json())
    except ValidationError as err:
        return jsonify({"error": "Invalid credentials"}), 401

    user = User.query.filter_by(email=data["email"]).first()
    if not user or not verify_password(data["password"], user.password_hash):
        return jsonify({"error": "Invalid credentials"}), 401

    token = generate_access_token(user)
    return jsonify({"access_token": token}), 200

Input Validation

Email format: Use a schema validator to enforce RFC-compliant email addresses.
Password strength: Minimum 8 characters with complexity requirements. See password-policy.md for full policy.
Name: Non-empty string, max 255 characters.

Password Hashing with bcrypt

Always use bcrypt with a work factor of 12. This provides a good balance between security and performance. The work factor doubles the computation for each increment, so 12 results in 2^12 (4096) iterations of the key derivation.

# Work factor 12 is the recommended default
salt = bcrypt.gensalt(rounds=12)
hashed = bcrypt.hashpw(password.encode("utf-8"), salt)

Constraints

✅ Do

Hash passwords with bcrypt using a work factor of 12.
Validate email format before processing registration.
Rate limit registration endpoints to prevent abuse.
Return consistent, generic error messages for both login and registration failures.
Enforce password complexity requirements as defined in the password policy.
Store only the bcrypt hash, never the plaintext password.

❌ Don't

Store plaintext passwords under any circumstances.
Reveal whether an email address is already registered on login failure.
Use MD5 or SHA family hashes for password storage.
Allow unlimited registration attempts from a single IP.
Return different error messages for "user not found" vs "wrong password".
Log plaintext passwords in any application or server logs.

Output Format

Registration success (201):

{ "access_token": "<jwt>" }

Login success (200):

{ "access_token": "<jwt>" }

Validation error (400):

{ "error": "Validation failed", "details": { "email": ["Not a valid email address."] } }

Auth failure (401):

{ "error": "Invalid credentials" }

Dependencies

Building API Routes -- route structure and request handling.
Designing Schemas -- user table schema design.
Password Policy -- password strength and lockout rules.

7a336e6e/implementing-local-auth

auth/implementing-local-auth/SKILL.md

User registration, login, and password hashing with bcrypt for local authentication flows.

1 stars

tools

Updated Mar 25, 2026

$ install --global

skillsauth

npx skillsauth add 7a336e6e/skills implementing-local-auth

Install this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.

Security Scan Results

4 of 9 scanners reported clean

Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.

Scanners Passed

Scanners in report

Clean

TrivyContainer and dependency vulnerability scanner

95%

Clean

SemgrepStatic code analysis for vulnerabilities

95%

Clean

mcp-scan (Snyk)Model Context Protocol security validation

95%

Clean

VirusTotalMulti-engine malware detection

95%

Skipped

Snyk (dep)Open source security scanning

50%

Skipped

Socket.devSupply chain security analysis

50%

Skipped

CrowdStrikeAdvanced threat intelligence

50%

Skipped

OSV-ScannerOpen Source Vulnerability database check

50%

Skipped

OWASP Dep-Check

50%

Last scanned: Mar 26, 2026, 12:28 AM78.1s2 files scanned

SKILL.md

name:: implementing-local-auth
description:: User registration, login, and password hashing with bcrypt for local authentication flows.

Implementing Local Auth

Goal

When to Use

Building a new application that needs email/password authentication.
Adding local auth alongside existing OAuth providers.
Replacing an insecure or legacy authentication system.
Any time users need to create accounts and log in with credentials they control.

Instructions

Registration Flow

The registration flow follows these steps: validate input, check uniqueness, hash password, create user, return token.

import bcrypt
from flask import Blueprint, request, jsonify
from marshmallow import Schema, fields, validate, ValidationError

auth_bp = Blueprint("auth", __name__, url_prefix="/api/v1/auth")


class RegisterSchema(Schema):
    email = fields.Email(required=True)
    password = fields.Str(
        required=True,
        validate=validate.Length(min=8),
    )
    name = fields.Str(required=True, validate=validate.Length(min=1, max=255))


def hash_password(plain: str) -> str:
    """Hash a password with bcrypt using a work factor of 12."""
    salt = bcrypt.gensalt(rounds=12)
    return bcrypt.hashpw(plain.encode("utf-8"), salt).decode("utf-8")


@auth_bp.route("/register", methods=["POST"])
def register():
    schema = RegisterSchema()
    try:
        data = schema.load(request.get_json())
    except ValidationError as err:
        return jsonify({"error": "Validation failed", "details": err.messages}), 400

    # Check uniqueness
    existing = User.query.filter_by(email=data["email"]).first()
    if existing:
        # Return generic message to avoid revealing registered emails
        return jsonify({"error": "Registration failed. Please try again."}), 400

    # Hash password and create user
    hashed = hash_password(data["password"])
    user = User(email=data["email"], password_hash=hashed, name=data["name"])
    db.session.add(user)
    db.session.commit()

    token = generate_access_token(user)
    return jsonify({"access_token": token}), 201

Login Flow

The login flow follows these steps: find user by email, verify password, generate token, return token.

class LoginSchema(Schema):
    email = fields.Email(required=True)
    password = fields.Str(required=True)


def verify_password(plain: str, hashed: str) -> bool:
    """Verify a plaintext password against a bcrypt hash."""
    return bcrypt.checkpw(plain.encode("utf-8"), hashed.encode("utf-8"))


@auth_bp.route("/login", methods=["POST"])
def login():
    schema = LoginSchema()
    try:
        data = schema.load(request.get_json())
    except ValidationError as err:
        return jsonify({"error": "Invalid credentials"}), 401

    user = User.query.filter_by(email=data["email"]).first()
    if not user or not verify_password(data["password"], user.password_hash):
        return jsonify({"error": "Invalid credentials"}), 401

    token = generate_access_token(user)
    return jsonify({"access_token": token}), 200

Input Validation

Email format: Use a schema validator to enforce RFC-compliant email addresses.
Password strength: Minimum 8 characters with complexity requirements. See password-policy.md for full policy.
Name: Non-empty string, max 255 characters.

Password Hashing with bcrypt

# Work factor 12 is the recommended default
salt = bcrypt.gensalt(rounds=12)
hashed = bcrypt.hashpw(password.encode("utf-8"), salt)

Constraints

✅ Do

Hash passwords with bcrypt using a work factor of 12.
Validate email format before processing registration.
Rate limit registration endpoints to prevent abuse.
Return consistent, generic error messages for both login and registration failures.
Enforce password complexity requirements as defined in the password policy.
Store only the bcrypt hash, never the plaintext password.

❌ Don't

Store plaintext passwords under any circumstances.
Reveal whether an email address is already registered on login failure.
Use MD5 or SHA family hashes for password storage.
Allow unlimited registration attempts from a single IP.
Return different error messages for "user not found" vs "wrong password".
Log plaintext passwords in any application or server logs.

Output Format

Registration success (201):

{ "access_token": "<jwt>" }

Login success (200):

{ "access_token": "<jwt>" }

Validation error (400):

{ "error": "Validation failed", "details": { "email": ["Not a valid email address."] } }

Auth failure (401):

{ "error": "Invalid credentials" }

Dependencies

Building API Routes -- route structure and request handling.
Designing Schemas -- user table schema design.
Password Policy -- password strength and lockout rules.

Related Skills

7a336e6e/Test Driven Development

development

VerifiedTrustedCommunity

Implement features using the Red-Green-Refactor cycle to ensure testability and correctness from the start.

1SKILL.mdUpdated Mar 25, 2026

7a336e6e/Test Driven Development

7a336e6e/task-tracking

data-ai

VerifiedTrustedCommunity

Manage the `tasks.md` ledger with strict locking and collision avoidance protocols to allow multiple agents to work in parallel safely.

1SKILL.mdUpdated Mar 25, 2026

7a336e6e/task-tracking

7a336e6e/git-workflow

development

VerifiedTrustedCommunity

The git-workflow skill defines branching conventions, commit message formats, and pull request standards that all agents must follow for consistent version control.

1SKILL.mdUpdated Mar 25, 2026

7a336e6e/git-workflow

7a336e6e/environment-config

development

VerifiedTrustedCommunity

The environment-config skill standardizes how agents manage environment variables, secrets, and application configuration across local development and deployed environments.

1SKILL.mdUpdated Mar 25, 2026

7a336e6e/environment-config

Download

For Claude Desktop. Download once, then upload the file in the app — no terminal needed.

Need help? View full Cowork setup guide →

Install manually

Choose your platform

# Clone the repo
git clone https://github.com/7a336e6e/skills.git

# Copy into Claude Code skills folder (global)
cp -r skills/auth/implementing-local-auth ~/.claude/skills/

Claude Code Skills — official skills path docs.

Repository

7a336e6e/skills

1 stars

Compatible with

Claude Code

OpenAI Codex CLI

ChatGPT