ab-aswini/.agent-os/skills/auth

Authentication & Authorization Skill

Loaded by: BE-005 (Auth), BE-006 (RBAC) | Version: 1.0

Password Handling

• Hash with bcrypt (cost >= 12) or argon2; NEVER store plaintext
• NEVER log passwords; implement password complexity rules

JWT Tokens

• Access tokens: 15-30 min expiry
• Refresh tokens: 7-30 days, rotate on use
• Minimal claims in payload; NEVER put sensitive data in JWT

Session Management

• HTTP-only, Secure, SameSite cookies
• Implement session invalidation and track active sessions

Pattern

from passlib.context import CryptContext
pwd_context = CryptContext(schemes=["bcrypt"], deprecated="auto")

def hash_password(password: str) -> str:
    return pwd_context.hash(password)

def verify_password(plain: str, hashed: str) -> bool:
    return pwd_context.verify(plain, hashed)

Anti-Patterns

• Do NOT implement custom crypto
• Do NOT store tokens in localStorage
• Do NOT skip token validation on protected endpoints
• Do NOT use MD5/SHA1 for passwords
• Do NOT send tokens in URL parameters

Checklist

• [ ] Passwords hashed with bcrypt/argon2
• [ ] JWT expiry is short and reasonable
• [ ] Refresh tokens rotate on use
• [ ] No sensitive data in tokens
• [ ] HTTPS enforced; brute force protection in place