>_

auth-module-builder

Implements secure authentication patterns including login/registration, session management, JWT tokens, password hashing, cookie settings, and CSRF protection. Provides auth routes, middleware, security configurations, and threat model documentation. Use when building "authentication", "login system", "JWT auth", or "session management".

$ Installieren

git clone https://github.com/patricio0312rev/skillset /tmp/skillset && cp -r /tmp/skillset/templates/backend/auth-module-builder ~/.claude/skills/skillset

// tip: Run this command in your terminal to install the skill

SKILL.md
View on GitHub →

name: auth-module-builder description: Implements secure authentication patterns including login/registration, session management, JWT tokens, password hashing, cookie settings, and CSRF protection. Provides auth routes, middleware, security configurations, and threat model documentation. Use when building "authentication", "login system", "JWT auth", or "session management".

Auth Module Builder

Implement secure, production-ready authentication systems.

Core Components

Routes: POST /login, /register, /logout, /refresh, /forgot-password Middleware: authenticate, requireAuth, optionalAuth Security: bcrypt hashing, JWT signing, secure cookies, CSRF tokens Session: Redis/DB storage, expiration, refresh tokens Threats: Document common attacks and mitigations

JWT Pattern

// Generate tokens
const accessToken = jwt.sign(
  { userId: user.id, email: user.email },
  process.env.JWT_SECRET,
  { expiresIn: "15m" }
);

const refreshToken = jwt.sign(
  { userId: user.id, type: "refresh" },
  process.env.JWT_REFRESH_SECRET,
  { expiresIn: "7d" }
);

// Verify middleware
export const authenticate = async (req, res, next) => {
  const token = req.headers.authorization?.split(" ")[1];
  if (!token) return res.status(401).json({ error: "No token" });

  try {
    const decoded = jwt.verify(token, process.env.JWT_SECRET);
    req.user = await User.findById(decoded.userId);
    next();
  } catch (err) {
    res.status(401).json({ error: "Invalid token" });
  }
};

Session Pattern

// Express session with Redis
app.use(
  session({
    store: new RedisStore({ client: redisClient }),
    secret: process.env.SESSION_SECRET,
    resave: false,
    saveUninitialized: false,
    cookie: {
      secure: process.env.NODE_ENV === "production",
      httpOnly: true,
      maxAge: 1000 * 60 * 60 * 24 * 7, // 7 days
      sameSite: "lax",
    },
  })
);

Password Security

import bcrypt from "bcrypt";

// Hash password
const hashedPassword = await bcrypt.hash(password, 10);

// Verify password
const isValid = await bcrypt.compare(password, user.hashedPassword);

Security Checklist

  • Passwords hashed with bcrypt (cost ≥10)
  • JWT secrets from environment, rotated regularly
  • HTTPS only in production
  • httpOnly, secure cookies
  • CSRF protection enabled
  • Rate limiting on auth routes
  • Account lockout after failed attempts
  • Password reset tokens expire
  • Email verification for new accounts

Threat Model

Brute Force: Rate limit + account lockout Token Theft: Short expiry, httpOnly cookies, HTTPS only CSRF: SameSite cookies + CSRF tokens Session Fixation: Regenerate session ID on login XSS: Sanitize inputs, CSP headers

Repository

patricio0312rev
patricio0312rev
Author
patricio0312rev/skillset/templates/backend/auth-module-builder
2
Stars
0
Forks
Updated3d ago
Added1w ago

Actions

View on GitHubDownload ZIPReport Issue

Related Skills

skill-writer
pytorch/pytorch
95.4k
docstring
pytorch/pytorch
95.4k
at-dispatch-v2
pytorch/pytorch
95.4k
add-uint-support
pytorch/pytorch
95.4k
skill-creator
openai/codex
54.7k