jawad-chaudhary/auth-security
Phase03/.claude/skills/auth-security/SKILL.md
JWT authentication with Better Auth, token verification, user isolation, and security middleware. Use when implementing auth, protecting endpoints, or verifying tokens.
testing
Updated Apr 6, 2026
$ install --global
skillsauthnpx skillsauth add jawad-chaudhary/hackathone-2-todo-spec-driven-development auth-securityInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Apr 6, 2026, 3:08 AM28.8s1 file scanned
SKILL.md
- name:
- auth-security
- description:
- JWT authentication with Better Auth, token verification, user isolation, and security middleware. Use when implementing auth, protecting endpoints, or verifying tokens.
JWT Authentication & Security
JWT Verification Middleware
from fastapi import Header, HTTPException
import jwt
import os
BETTER_AUTH_SECRET = os.getenv("BETTER_AUTH_SECRET")
async def verify_jwt(authorization: str = Header(None)) -> str:
if not authorization or not authorization.startswith("Bearer "):
raise HTTPException(status_code=401, detail="Missing or invalid authorization")
token = authorization.replace("Bearer ", "")
try:
payload = jwt.decode(token, BETTER_AUTH_SECRET, algorithms=["HS256"])
user_id = payload.get("sub") or payload.get("user_id")
if not user_id:
raise HTTPException(status_code=401, detail="Invalid token payload")
return user_id
except jwt.ExpiredSignatureError:
raise HTTPException(status_code=401, detail="Token expired")
except jwt.InvalidTokenError:
raise HTTPException(status_code=401, detail="Invalid token")
Protected Endpoint
@app.post("/api/{user_id}/resource")
async def endpoint(user_id: str, current_user: str = Depends(verify_jwt)):
# Enforce user_id matching
if user_id != current_user:
raise HTTPException(status_code=403, detail="User ID mismatch")
# Proceed with authenticated user_id
Security Checklist
- BETTER_AUTH_SECRET in .env (never in code)
- JWT verification on all protected endpoints
- User ID from token matches URL parameter
- All DB queries filtered by authenticated user_id
- CORS origins whitelist (no wildcard in production)
Testing
import jwt
from datetime import datetime, timedelta
def generate_test_token(user_id: str):
payload = {"sub": user_id, "exp": datetime.utcnow() + timedelta(hours=1)}
return jwt.encode(payload, BETTER_AUTH_SECRET, algorithm="HS256")
def test_protected():
token = generate_test_token("user123")
response = client.post(
"/api/user123/resource",
headers={"Authorization": f"Bearer {token}"}
)
assert response.status_code == 200
Related Skills
jawad-chaudhary/pytest-testing
development
VerifiedTrustedCommunity
Async testing with pytest, pytest-asyncio, httpx, fixtures, coverage reports, and test-first development. Use when writing tests, test fixtures, or measuring coverage.
SKILL.mdUpdated Apr 6, 2026
jawad-chaudhary/openai-agents
tools
VerifiedTrustedCommunity
Build AI agents with OpenAI Agents SDK, tool registration, conversation history, and stateless execution. Use when creating AI agents, registering tools, or handling conversations.
SKILL.mdUpdated Apr 6, 2026
jawad-chaudhary/nextjs-chatkit
development
VerifiedTrustedCommunity
Integrate OpenAI ChatKit in Next.js 15 App Router with domain allowlist, authentication, and API connections. Use when building chat interfaces or ChatKit integration.
SKILL.mdUpdated Apr 6, 2026
jawad-chaudhary/mcp-tools
tools
VerifiedTrustedCommunity
Create MCP server tools with Official Python MCP SDK for AI agents. Use when building MCP tools, registering tool schemas, or creating AI-accessible functions.
SKILL.mdUpdated Apr 6, 2026