alti3/litestar-authentication
plugins/litestar/skills/litestar-authentication/SKILL.md
Implement Litestar authentication with custom authentication middleware, built-in security backends, JWT and session flows, route inclusion and exclusion rules, and typed auth context on `Request` / `ASGIConnection`. Use when establishing identity, issuing or validating credentials, or attaching authenticated user context in Litestar. Do not use for generic request parsing, broad security audits, or unrelated transport concerns.
$ install --global
skillsauthnpx skillsauth add alti3/litestar-skills litestar-authenticationInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Apr 20, 2026, 3:21 PM1.7s1 file scanned
SKILL.md
- name:
- litestar-authentication
- description:
- Implement Litestar authentication with custom authentication middleware, built-in security backends, JWT and session flows, route inclusion and exclusion rules, and typed auth context on `Request` / `ASGIConnection`. Use when establishing identity, issuing or validating credentials, or attaching authenticated user context in Litestar. Do not use for generic request parsing, broad security audits, or unrelated transport concerns.
Authentication
Execution Workflow
- Choose the identity mechanism first: session, JWT header, JWT cookie, OAuth2 password bearer, or custom middleware based on client and trust boundaries.
- Attach authentication once at app scope with
on_app_initor middleware. - Configure exclusion rules explicitly for login, schema, health, and other public routes.
- Use
request.userandrequest.authonly after authentication has been established. - Apply guards separately for authorization checks.
- Keep missing or invalid credential behavior consistent with the exception-handling strategy.
Core Rules
- Keep authentication separate from request parsing and authorization.
- Let request parsing validate input fields before auth-specific business logic where possible.
- Prefer built-in security backends before custom middleware.
- Use custom middleware only when the identity source does not fit a built-in backend.
- Treat
request.userandrequest.authas authenticated context, not parsing shortcuts. - Keep exclusion rules narrow and reviewable.
- Normalize identity failures to
401behavior unless the project has a documented alternative.
Decision Guide
- Use
SessionAuthfor browser-first applications with server-managed sessions. - Use
JWTAuthfor token-in-header API clients. - Use
JWTCookieAuthfor browser flows where token cookies are intentional. - Use
OAuth2PasswordBearerAuthwhen password-flow token issuance semantics are required. - Use
AbstractAuthenticationMiddlewarewhen the credential source or validation logic is custom. - Use
litestar-securitywhen the task includes authorization policy, secrets, and defense-in-depth concerns beyond identity wiring.
Reference Files
Read only the sections you need:
- For custom middleware, built-in backends, request auth context, exclusion rules, and login patterns, read references/auth-patterns.md.
Recommended Defaults
- Keep authentication middleware or backend registration at app scope.
- Exclude only explicitly public routes.
- Access authenticated context through typed
RequestorASGIConnectionafter auth runs. - Keep token issuance and logout flows explicit and testable.
- Hand off
401/403response formatting tolitestar-exception-handling.
Anti-Patterns
- Parsing auth headers manually in every route handler.
- Mixing authorization policy into authentication middleware.
- Treating
request.useras available on routes excluded from authentication. - Using broad path exclusions that create accidental public surface area.
- Hardcoding secrets or sample tokens outside local examples.
Validation Checklist
- Confirm protected endpoints reject missing or invalid credentials.
- Confirm public routes are public only when explicitly excluded.
- Confirm
request.userandrequest.authhave the expected types on authenticated routes. - Confirm login and logout flows produce the intended token or session behavior.
- Confirm identity failures line up with the exception-handling contract.
- Confirm tests cover both authenticated and unauthenticated paths.
Cross-Skill Handoffs
- Use
litestar-requestsfor header, cookie, and body parsing concerns that are not identity-specific. - Use
litestar-securityfor authorization, secret hygiene, and broader security posture. - Use
litestar-exception-handlingto standardize401and403contracts. - Use
litestar-testingfor auth boundary, exclusion-rule, and token-flow tests.
Litestar References
- https://docs.litestar.dev/latest/usage/security/abstract-authentication-middleware.html
- https://docs.litestar.dev/latest/usage/security/security-backends.html
- https://docs.litestar.dev/latest/usage/security/jwt.html
- https://docs.litestar.dev/latest/usage/security/excluding-and-including-endpoints.html
Related Skills
alti3/litestar-websockets
development
VerifiedTrustedCommunity
Build Litestar WebSocket endpoints with low-level websocket handlers, websocket listeners, websocket streams, dependency injection, custom websocket classes, transport-mode control, and graceful connection lifecycle handling. Use when implementing bidirectional real-time communication, reactive websocket message handling, or proactive server push over WebSockets. Do not use for server-side pub/sub fanout that is better expressed with channels alone.
5SKILL.mdUpdated Apr 3, 2026
alti3/litestar-testing
tools
VerifiedTrustedCommunity
Test Litestar applications with TestClient, AsyncTestClient, create_test_client, websocket test helpers, dependency overrides, mocked dependencies, lifecycle-aware fixtures, and deterministic success and failure assertions. Use when adding or fixing Litestar test coverage, including exception contracts, override precedence, websocket behavior, event-bus side effects, or live-server-only response patterns. Do not use as a substitute for production observability or runtime debugging strategy.
5SKILL.mdUpdated Apr 3, 2026
alti3/litestar-templating
development
VerifiedTrustedCommunity
Configure Litestar templating with `TemplateConfig`, Jinja/Mako/MiniJinja engines, file-or-string `Template` responses, request and CSRF-aware context, template callables, and custom engine integration. Use when implementing or fixing server-rendered HTML in Litestar. Do not use for static asset serving or pure JSON API endpoints.
5SKILL.mdUpdated Apr 3, 2026
alti3/litestar-stores
development
VerifiedTrustedCommunity
Configure Litestar stores and the store registry for caching, server-side sessions, rate limiting, and other key-value state with explicit backend selection, bytes-safe data handling, TTL and renewal policy, namespacing, registry wiring, and lifecycle cleanup. Use when a Litestar app depends on `MemoryStore`, `FileStore`, `RedisStore`, `ValkeyStore`, or `StoreRegistry`. Do not use for relational persistence, domain repositories, or response-caching policy details that belong in database or caching-focused skills.
5SKILL.mdUpdated Apr 3, 2026