rzyfront/vendix-backend-auth
skills/vendix-backend-auth/SKILL.md
Backend authentication and authorization patterns: global JWT guard, public/optional auth, roles, permissions, and request user shape. Trigger: When implementing authentication, editing auth guards/decorators, or protecting backend endpoints.
$ install --global
skillsauthnpx skillsauth add rzyfront/vendix vendix-backend-authInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: May 16, 2026, 5:03 AM138.0s1 file scanned
SKILL.md
- name:
- vendix-backend-auth
- description:
- >
- Backend authentication and authorization patterns:
- global JWT guard, public/optional auth, roles, permissions, and request user shape.
- Trigger:
- When implementing authentication, editing auth guards/decorators, or protecting backend endpoints.
- license:
- MIT
- author:
- rzyfront
- version:
- 1.0
- scope:
- [root]
Vendix Backend Auth
Purpose
Use this skill for backend auth and endpoint protection. Use vendix-permissions for permission seed/decorator details and vendix-subscription-gate for subscription write gates.
Current Global Pipeline
AppModule registers global guards/interceptors:
ThrottlerGuardJwtAuthGuardStoreOperationsGuardRequestContextInterceptorAuditInterceptor
Key file: apps/backend/src/app.module.ts.
JWT Guard Rules
JwtAuthGuard is global. Routes require auth unless one of these applies:
- HTTP method is
OPTIONS. - Handler/class has
@Public(). - Route matches allowed public paths such as health/API docs.
- Handler/class uses optional auth via
@OptionalAuth(). - SSE notifications may pass token through query parameter because
EventSourcecannot send headers.
Key files:
apps/backend/src/domains/auth/guards/jwt-auth.guard.tsapps/backend/src/domains/auth/decorators/public.decorator.tsapps/backend/src/domains/auth/decorators/optional-auth.decorator.tsapps/backend/src/domains/auth/strategies/jwt.strategy.ts
Request User Shape
JwtStrategy.validate() returns a rich req.user object that includes IDs, roles, and permission objects. Permissions are not simple strings; they include route metadata such as name, path, method, and status.
RequestContextInterceptor then copies auth data into RequestContextService for scoped Prisma and downstream services.
Roles And Permissions
- Use
@Roles(...)for role constraints. - Use
@Permissions(...)for granular backend authorization. - Super admin bypass behavior lives in
PermissionsGuard. - Permission checks support route/method metadata OR named permission matching.
Real role enum values include lowercase roles such as super_admin, admin, manager, supervisor, employee, staff, owner, plus CUSTOMER.
Endpoint Protection Rules
| Endpoint Type | Pattern |
| --- | --- |
| Public auth/login/register/password reset | @Public() |
| Public ecommerce read flow | @Public() or optional auth only when intended |
| Admin/store write operations | JWT + permissions/roles + subscription gate as applicable |
| Store write operations | Also consider StoreOperationsGuard and @SkipSubscriptionGate() only when justified |
| Webhooks | Public only if signature/processor auth is implemented |
Related Skills
vendix-permissions- Permission names, seed rows, guard behaviorvendix-subscription-gate- Store write protection by subscription statevendix-multi-tenant-context- Request context propagationvendix-backend-api- Controller endpoint patterns
Related Skills
rzyfront/mobile-dev
development
VerifiedTrustedCommunity
Mobile app development rules for Vendix Expo/React Native project. Trigger: When editing, creating, or modifying any file under apps/mobile, or when developing mobile-specific features.
5SKILL.mdUpdated May 29, 2026
rzyfront/vendix-subscription-gate
development
VerifiedTrustedCommunity
Feature gating by store subscription state: global store write guard, AI feature gate, Redis feature resolution, quota consumption, frontend paywall interceptor, banner, and subscription UI states. Trigger: When adding feature gates, paywalls, subscription-based access control, protecting store write operations, AI feature gates, or rollout flags.
5SKILL.mdUpdated May 16, 2026
rzyfront/vendix-saas-billing
testing
VerifiedTrustedCommunity
SaaS subscription billing for Vendix stores: plan pricing, invoices, Wompi platform payments, manual payments, partner commissions, payouts, proration, and dunning. Trigger: When creating SaaS invoices, working with partner rev-share, margin/surcharge pricing, invoice sequence allocation, partner payout batches, subscription payments, manual payments, or dunning flows.
5SKILL.mdUpdated May 16, 2026
rzyfront/vendix-redis-quota
development
VerifiedTrustedCommunity
Periodic quota counters with Redis, UTC period keys, Lua-based idempotent AI quota consumption, request-id deduplication, and post-success consumption. Trigger: When building quota counters, enforcing monthly/daily feature caps, or reusing AI quota patterns for uploads, emails, exports, or rate-limited features.
5SKILL.mdUpdated May 16, 2026