kienbui1995/authentication-patterns
skills/authentication-patterns/SKILL.md
Use when implementing auth - OAuth 2.0, JWT, session management, API keys, RBAC, or reviewing auth security
development
Updated Apr 23, 2026
$ install --global
skillsauthnpx skillsauth add kienbui1995/magic-powers authentication-patternsInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Apr 24, 2026, 12:32 AM184.3s1 file scanned
SKILL.md
- name:
- authentication-patterns
- description:
- Use when implementing auth - OAuth 2.0, JWT, session management, API keys, RBAC, or reviewing auth security
Authentication Patterns
Overview
Auth is the most security-critical part of any application. Use proven patterns, never roll your own crypto.
When to Use
- Implementing login/signup flows
- Adding OAuth/social login
- Designing API authentication
- Reviewing auth security
- Implementing role-based access control
Pattern Selection
| Pattern | Best For | Avoid When | |---------|----------|------------| | Session + cookie | Server-rendered web apps | Mobile/SPA without same-origin | | JWT (access + refresh) | SPAs, mobile apps, microservices | Simple server-rendered apps | | OAuth 2.0 + OIDC | Social login, SSO, third-party auth | Internal-only tools | | API keys | Server-to-server, public APIs | User-facing auth |
JWT Best Practices
- Short-lived access tokens — 15 minutes max
- Long-lived refresh tokens — stored in httpOnly cookie, rotated on use
- Never store JWTs in localStorage — XSS vulnerable
- Include minimal claims — user ID, roles. Not PII.
- Validate on every request — check signature, expiry, issuer
- Use RS256 or ES256 — not HS256 for distributed systems
OAuth 2.0 Flow (Authorization Code + PKCE)
1. Client generates code_verifier + code_challenge
2. Redirect to /authorize?response_type=code&code_challenge=...
3. User authenticates with provider
4. Provider redirects back with authorization code
5. Client exchanges code + code_verifier for tokens
6. Store access token in memory, refresh token in httpOnly cookie
Security Checklist
- [ ] Passwords hashed with bcrypt/argon2 (cost factor ≥12)
- [ ] Rate limiting on login endpoints
- [ ] Account lockout after N failed attempts
- [ ] CSRF protection on session-based auth
- [ ] Refresh token rotation (one-time use)
- [ ] Secure cookie flags:
httpOnly,secure,sameSite=strict - [ ] No secrets in JWTs or URLs
Integration
- magic-powers:api-design — auth headers and error responses
- magic-powers:security-review — audit auth implementation
Related Skills
kienbui1995/xr-interface-design
content-media
VerifiedTrustedCommunity
Use when designing for XR (AR/VR/MR), choosing interaction modes, or adapting 2D UI patterns for spatial computing
SKILL.mdUpdated Apr 24, 2026
kienbui1995/writing-skills
testing
VerifiedTrustedCommunity
Use when creating new skills, editing existing skills, or verifying skills work before deployment
SKILL.mdUpdated Apr 24, 2026
kienbui1995/writing-plans
development
VerifiedTrustedCommunity
Use when you have a spec or requirements for a multi-step task, before touching code
SKILL.mdUpdated Apr 24, 2026
kienbui1995/workflow-templates
development
VerifiedTrustedCommunity
Use when executing a structured workflow — select and run a feature, bugfix, refactor, research, or incident template with correct agent and model assignments per phase.
SKILL.mdUpdated Apr 24, 2026