hjemmesidekongen/auth-patterns
plugins/smedjen/skills/auth-patterns/SKILL.md
OAuth 2.0, JWT, sessions, RBAC, refresh tokens, PKCE, and authentication architecture.
tools
Updated Apr 5, 2026
$ install --global
skillsauthnpx skillsauth add hjemmesidekongen/ai auth-patternsInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Apr 5, 2026, 5:29 PM141.9s2 files scanned
SKILL.md
- name:
- auth-patterns
- description:
- >
- user_invocable:
- false
- interactive:
- false
- model_tier:
- senior
- depends_on:
- []
- reads:
- []
- writes:
- []
- type:
- data_validation
- - name:
- pkce_for_public_clients
- verify:
- Authorization code flow for SPAs and mobile apps uses PKCE
- fail_action:
- Add code_challenge/code_verifier — public clients cannot securely store client_secret
- on_fail:
- Auth implementation has structural security issues — fix before merging
- on_pass:
- Auth patterns are sound
- origin:
- smedjen
- inspired_by:
- original
- ported_date:
- 2026-03-10
- iteration:
- 1
- changes:
- New discipline skill for smedjen
Auth Patterns
Auth is where structural mistakes matter more than implementation bugs. Wrong token storage, no rotation, or missing expiry creates permanent exposure.
OAuth 2.0 Flow Selection
Authorization Code + PKCE — SPAs, mobile apps. No client secret. PKCE replaces it with a one-time code verifier. Default choice for anything running in a browser.
Authorization Code (confidential) — server-side apps with a securely stored client secret. Secret never leaves the server.
Client Credentials — machine-to-machine, no user. Short-lived tokens rotated by infra.
Device Flow — TVs, CLIs, limited-input devices. User completes auth on a secondary device.
JWT Essentials
Signed (not encrypted) — the payload is readable. Required claims: iss, sub, aud, exp, iat, jti. Validation must verify signature, exp, iss, and aud — libraries skip aud by default, configure it explicitly.
Signing: use RS256 or ES256 for distributed systems. HS256 requires all services to share the secret — rotation becomes an operational risk.
Refresh Token Rotation
Short-lived access tokens (15m) + longer-lived refresh tokens (7–30d). On refresh: invalidate the old token, issue a new one. Reuse of an invalidated token signals theft — invalidate the entire token family. Store refresh tokens as hashed values, not plaintext.
Session-Based Auth
httpOnly, Secure, SameSite cookie with a session ID. Session data server-side — Redis as the backing store. Prefer this over JWT when instant revocation is required (ban, logout-all-devices). Session IDs: 128-bit random, never derived from user data.
RBAC and ABAC
RBAC: roles → permissions. Works well up to ~20 permission types. Define roles in code unless dynamic creation is a product requirement. Encode roles in the JWT roles claim for stateless checks.
ABAC: policies evaluate attributes (user, resource, context). Use for complex multi-tenant or enterprise access models.
Anti-Patterns and Reference
JWT in localStorage, missing exp, HS256 in microservices, rolling your own crypto, plaintext passwords, trusting alg: none.
See references/process.md for PKCE flow, JWT validation middleware, NextAuth config, RBAC middleware, argon2id hashing, and TOTP setup.
Related Skills
hjemmesidekongen/brand-strategy
development
VerifiedTrustedCommunity
Creates a brand from scratch through market research and interactive sparring. Runs competitive research via Perplexity, then guides the user through positioning, audience, voice, values, and content pillars. Produces the full brand guideline set at .ai/brand/{name}/. Use when building a new brand, defining brand strategy for a product, or when /våbenskjold:create is invoked.
SKILL.mdUpdated Apr 5, 2026
hjemmesidekongen/brand-loader
testing
VerifiedTrustedCommunity
Loads brand guidelines from .ai/brand/{name}/ and makes them available to the current context. Progressive disclosure: L1 confirms brand exists, L2 loads summary, L3 loads specific files on demand. Use when a downstream skill or user needs brand context, or when /våbenskjold:apply is invoked.
SKILL.mdUpdated Apr 5, 2026
hjemmesidekongen/brand-evolve
documentation
VerifiedTrustedCommunity
Guided reinvention of an existing brand guideline. Loads current brand from .ai/brand/{name}/, identifies what to keep vs change, and walks the user through targeted evolution. Preserves brand equity while updating positioning, voice, or values. Use when refreshing a brand or when /våbenskjold:evolve is invoked.
SKILL.mdUpdated Apr 5, 2026
hjemmesidekongen/brand-audit
development
VerifiedTrustedCommunity
Codifies an existing brand from materials, samples, and references. Analyzes provided content to extract voice patterns, values, and positioning. Produces the same guideline format as brand-strategy. Use when a brand already exists but isn't documented, or when /våbenskjold:audit is invoked.
SKILL.mdUpdated Apr 5, 2026