auth-and-authorization-patterns

Auth & Authorization Patterns

Safety Notice

This listing is imported from skills.sh public index metadata. Review upstream SKILL.md and repository scripts before running.

Copy this and send it to your AI assistant to learn

Install skill "auth-and-authorization-patterns" with this command: npx skills add aiming-lab/metaclaw/aiming-lab-metaclaw-auth-and-authorization-patterns

Auth & Authorization Patterns

Authentication (who are you?):

  • Use a battle-tested library — do not roll your own crypto.

  • Hash passwords with bcrypt/argon2; never MD5/SHA1 for passwords.

  • Use short-lived JWTs (15–60 min) with refresh tokens; store refresh tokens securely.

  • Implement MFA for sensitive operations.

Authorization (what can you do?):

  • Check authorization on every request, not just at login.

  • Enforce RBAC or ABAC at the service layer, not the UI.

  • Apply principle of least privilege: grant minimal permissions needed.

OAuth2 / OIDC:

  • Use the Authorization Code flow with PKCE for user-facing apps.

  • Validate iss , aud , exp , and nonce claims on every token.

Session management:

  • Regenerate session ID after login (session fixation prevention).

  • Set HttpOnly and Secure flags on session cookies.

Source Transparency

This detail page is rendered from real SKILL.md content. Trust labels are metadata-based hints, not a safety guarantee.

Open in GitHubOpen in ClawHub

Related Skills

Related by shared tags or category signals.

General

graceful-error-recovery

No summary provided by upstream source.

Repository SourceNeeds Review
5-aiming-lab
General

uncertainty-acknowledgment

No summary provided by upstream source.

Repository SourceNeeds Review
5-aiming-lab
General

structured-progress-update

No summary provided by upstream source.

Repository SourceNeeds Review
5-aiming-lab
General

plan-before-multi-step-execution

No summary provided by upstream source.

Repository SourceNeeds Review
5-aiming-lab