auth-patterns

This skill provides a battle-tested toolkit for implementing robust security layers in backend services. It is designed for software engineers and architects who need to integrate industry-standard authentication and authorization mechanisms without reinventing secure protocols. The skill covers a wide range of stateful and stateless authentication methods, ensuring that developers can maintain data integrity, secure user identities, and enforce fine-grained access control across complex distributed systems.

• Authentication methodologies: Comprehensive support for JSON Web Tokens (JWT), session-based authentication using Redis or memory stores, and OAuth 2.0 / OpenID Connect integration via Passport.js.

• Authorization frameworks: Templates for Role-Based Access Control (RBAC) and Attribute-Based Access Control (ABAC), allowing for scalable permission management and middleware-level access checks.

• Security primitives: Standardized routines for password security, including bcrypt hashing with configurable salt rounds and robust password validation rules (length, complexity, special character requirements).

• Developer workflow: Includes boilerplate code for token generation, verification, and user session management to prevent common security pitfalls.

• Use this skill when architecting user registration systems, designing protected API endpoints, or implementing multi-factor authentication (MFA) flows.

• Inputs typically include user credentials, session identifiers, roles, or claims; outputs include validated user objects, signed access/refresh tokens, or standard HTTP authorization error responses.

• Constraints: Ensure that environment variables (e.g., JWT_SECRET, JWT_REFRESH_SECRET) are managed securely; always prefer production-ready storage backends like Redis for session data.

• Best practices: Follow the provided patterns for token expiry (short-lived access tokens, longer-lived refresh tokens) to balance security and user experience effectively.