Adoption

Agent Skills are supported by leading AI development tools.

VS Code Gemini CLI GitHub Goose Amp Cursor Claude Code Letta OpenCode Claude OpenAI Codex Factory VS Code Gemini CLI GitHub Goose Amp Cursor Claude Code Letta OpenCode Claude OpenAI Codex Factory

ihj04982/authenticate-server-actions-like-api-routes

Name: authenticate-server-actions-like-api-routes
Author: ihj04982

skills/authenticate-server-actions-like-api-routes/SKILL.md

npx skillsauth add ihj04982/my-cursor-settings authenticate-server-actions-like-api-routes

Clean

TrivyContainer and dependency vulnerability scanner

Clean

SemgrepStatic code analysis for vulnerabilities

Clean

mcp-scan (Snyk)Model Context Protocol security validation

Skipped

Snyk (dep)Open source security scanning

Skipped

Socket.devSupply chain security analysis

Skipped

VirusTotalMulti-engine malware detection

Skipped

CrowdStrikeAdvanced threat intelligence

Skipped

OSV-ScannerOpen Source Vulnerability database check

Skipped

OWASP Dep-Check

Authenticate Server Actions Like API Routes

Impact: CRITICAL (prevents unauthorized access to server mutations)

Server Actions (functions with "use server") are exposed as public endpoints, just like API routes. Always verify authentication and authorization inside each Server Action—do not rely solely on middleware, layout guards, or page-level checks, as Server Actions can be invoked directly.

Next.js documentation explicitly states: "Treat Server Actions with the same security considerations as public-facing API endpoints, and verify if the user is allowed to perform a mutation."

Incorrect (no authentication check):

'use server';

export async function deleteUser(userId: string) {
  // Anyone can call this! No auth check
  await db.user.delete({ where: { id: userId } });
  return { success: true };
}

Correct (authentication inside the action):

'use server';

import { verifySession } from '@/lib/auth';
import { unauthorized } from '@/lib/errors';

export async function deleteUser(userId: string) {
  // Always check auth inside the action
  const session = await verifySession();

  if (!session) {
    throw unauthorized('Must be logged in');
  }

  // Check authorization too
  if (session.user.role !== 'admin' && session.user.id !== userId) {
    throw unauthorized('Cannot delete other users');
  }

  await db.user.delete({ where: { id: userId } });
  return { success: true };
}

With input validation:

'use server';

import { verifySession } from '@/lib/auth';
import { z } from 'zod';

const updateProfileSchema = z.object({
  userId: z.string().uuid(),
  name: z.string().min(1).max(100),
  email: z.string().email(),
});

export async function updateProfile(data: unknown) {
  // Validate input first
  const validated = updateProfileSchema.parse(data);

  // Then authenticate
  const session = await verifySession();
  if (!session) {
    throw new Error('Unauthorized');
  }

  // Then authorize
  if (session.user.id !== validated.userId) {
    throw new Error('Can only update own profile');
  }

  // Finally perform the mutation
  await db.user.update({
    where: { id: validated.userId },
    data: {
      name: validated.name,
      email: validated.email,
    },
  });

  return { success: true };
}

Reference: https://nextjs.org/docs/app/guides/authentication

ihj04982/authenticate-server-actions-like-api-routes

skills/authenticate-server-actions-like-api-routes/SKILL.md

Authenticate server actions with the same rigor as API routes (session, token, CSRF). Use when implementing or securing Next.js server actions.

development

Updated Apr 5, 2026

$ install --global

skillsauth

npx skillsauth add ihj04982/my-cursor-settings authenticate-server-actions-like-api-routes

Install this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.

Security Scan Results

3 of 9 scanners reported clean

Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.

Scanners Passed

Scanners in report

Clean

TrivyContainer and dependency vulnerability scanner

95%

Clean

SemgrepStatic code analysis for vulnerabilities

95%

Clean

mcp-scan (Snyk)Model Context Protocol security validation

95%

Skipped

Snyk (dep)Open source security scanning

50%

Skipped

Socket.devSupply chain security analysis

50%

Skipped

VirusTotalMulti-engine malware detection

50%

Skipped

CrowdStrikeAdvanced threat intelligence

50%

Skipped

OSV-ScannerOpen Source Vulnerability database check

50%

Skipped

OWASP Dep-Check

50%

Last scanned: Apr 5, 2026, 8:22 PM6.4s1 file scanned

SKILL.md

name:: authenticate-server-actions-like-api-routes
description:: Authenticate server actions with the same rigor as API routes (session, token, CSRF). Use when implementing or securing Next.js server actions.

Authenticate Server Actions Like API Routes

Impact: CRITICAL (prevents unauthorized access to server mutations)

Next.js documentation explicitly states: "Treat Server Actions with the same security considerations as public-facing API endpoints, and verify if the user is allowed to perform a mutation."

Incorrect (no authentication check):

'use server';

export async function deleteUser(userId: string) {
  // Anyone can call this! No auth check
  await db.user.delete({ where: { id: userId } });
  return { success: true };
}

Correct (authentication inside the action):

'use server';

import { verifySession } from '@/lib/auth';
import { unauthorized } from '@/lib/errors';

export async function deleteUser(userId: string) {
  // Always check auth inside the action
  const session = await verifySession();

  if (!session) {
    throw unauthorized('Must be logged in');
  }

  // Check authorization too
  if (session.user.role !== 'admin' && session.user.id !== userId) {
    throw unauthorized('Cannot delete other users');
  }

  await db.user.delete({ where: { id: userId } });
  return { success: true };
}

With input validation:

'use server';

import { verifySession } from '@/lib/auth';
import { z } from 'zod';

const updateProfileSchema = z.object({
  userId: z.string().uuid(),
  name: z.string().min(1).max(100),
  email: z.string().email(),
});

export async function updateProfile(data: unknown) {
  // Validate input first
  const validated = updateProfileSchema.parse(data);

  // Then authenticate
  const session = await verifySession();
  if (!session) {
    throw new Error('Unauthorized');
  }

  // Then authorize
  if (session.user.id !== validated.userId) {
    throw new Error('Can only update own profile');
  }

  // Finally perform the mutation
  await db.user.update({
    where: { id: validated.userId },
    data: {
      name: validated.name,
      email: validated.email,
    },
  });

  return { success: true };
}

Reference: https://nextjs.org/docs/app/guides/authentication

Related Skills

ihj04982/wcag-audit-patterns

development

VerifiedTrustedCommunity

Conduct WCAG 2.2 accessibility audits with automated testing, manual verification, and remediation guidance. Use when auditing websites for accessibility, fixing WCAG violations, or implementing accessible design patterns.

SKILL.mdUpdated Apr 5, 2026

ihj04982/wcag-audit-patterns

ihj04982/vs-research-ideate

research

VerifiedTrustedCommunity

Generate high-entropy research (자료조사) and ideas (아이디어) using Verbalized Sampling to avoid mode collapse and maximize creativity and novelty.

SKILL.mdUpdated Apr 5, 2026

ihj04982/vs-research-ideate

ihj04982/vercel-react-best-practices

development

VerifiedTrustedCommunity

React and Next.js performance optimization guidelines from Vercel Engineering. This skill should be used when writing, reviewing, or refactoring React/Next.js code to ensure optimal performance patterns. Triggers on tasks involving React components, Next.js pages, data fetching, bundle optimization, or performance improvements.

SKILL.mdUpdated Apr 5, 2026

ihj04982/vercel-react-best-practices

ihj04982/update-docs

documentation

VerifiedTrustedCommunity

Sync documentation from source-of-truth (package.json, .env.example). Generates CONTRIB.md, RUNBOOK.md. Use when updating project docs or after adding scripts/env vars.

SKILL.mdUpdated Apr 5, 2026

Download

For Claude Desktop. Download once, then upload the file in the app — no terminal needed.

Need help? View full Cowork setup guide →

Install manually

Choose your platform

# Clone the repo
git clone https://github.com/ihj04982/my-cursor-settings.git

# Copy into Claude Code skills folder (global)
cp -r my-cursor-settings/skills/authenticate-server-actions-like-api-routes ~/.claude/skills/

Claude Code Skills — official skills path docs.

Repository

ihj04982/my-cursor-settings

Compatible with

Claude Code

OpenAI Codex CLI

ChatGPT