auth-module-builder

Implement secure, production-ready authentication systems.

Safety Notice

This listing is imported from skills.sh public index metadata. Review upstream SKILL.md and repository scripts before running.

Copy this and send it to your AI assistant to learn

Install skill "auth-module-builder" with this command: npx skills add patricio0312rev/skills/patricio0312rev-skills-auth-module-builder

Auth Module Builder

Implement secure, production-ready authentication systems.

Core Components

Routes: POST /login, /register, /logout, /refresh, /forgot-password Middleware: authenticate, requireAuth, optionalAuth Security: bcrypt hashing, JWT signing, secure cookies, CSRF tokens Session: Redis/DB storage, expiration, refresh tokens Threats: Document common attacks and mitigations

JWT Pattern

// Generate tokens const accessToken = jwt.sign( { userId: user.id, email: user.email }, process.env.JWT_SECRET, { expiresIn: "15m" } );

const refreshToken = jwt.sign( { userId: user.id, type: "refresh" }, process.env.JWT_REFRESH_SECRET, { expiresIn: "7d" } );

// Verify middleware export const authenticate = async (req, res, next) => { const token = req.headers.authorization?.split(" ")[1]; if (!token) return res.status(401).json({ error: "No token" });

try { const decoded = jwt.verify(token, process.env.JWT_SECRET); req.user = await User.findById(decoded.userId); next(); } catch (err) { res.status(401).json({ error: "Invalid token" }); } };

Session Pattern

// Express session with Redis app.use( session({ store: new RedisStore({ client: redisClient }), secret: process.env.SESSION_SECRET, resave: false, saveUninitialized: false, cookie: { secure: process.env.NODE_ENV === "production", httpOnly: true, maxAge: 1000 * 60 * 60 * 24 * 7, // 7 days sameSite: "lax", }, }) );

Password Security

import bcrypt from "bcrypt";

// Hash password const hashedPassword = await bcrypt.hash(password, 10);

// Verify password const isValid = await bcrypt.compare(password, user.hashedPassword);

Security Checklist

  • Passwords hashed with bcrypt (cost ≥10)

  • JWT secrets from environment, rotated regularly

  • HTTPS only in production

  • httpOnly, secure cookies

  • CSRF protection enabled

  • Rate limiting on auth routes

  • Account lockout after failed attempts

  • Password reset tokens expire

  • Email verification for new accounts

Threat Model

Brute Force: Rate limit + account lockout Token Theft: Short expiry, httpOnly cookies, HTTPS only CSRF: SameSite cookies + CSRF tokens Session Fixation: Regenerate session ID on login XSS: Sanitize inputs, CSP headers

Source Transparency

This detail page is rendered from real SKILL.md content. Trust labels are metadata-based hints, not a safety guarantee.

Open in GitHubOpen in ClawHub

Related Skills

Related by shared tags or category signals.

General

framer-motion-animator

No summary provided by upstream source.

Repository SourceNeeds Review
1.5K-patricio0312rev
General

eslint-prettier-config

No summary provided by upstream source.

Repository SourceNeeds Review
279-patricio0312rev
General

postman-collection-generator

No summary provided by upstream source.

Repository SourceNeeds Review
124-patricio0312rev
General

nginx-config-optimizer

No summary provided by upstream source.

Repository SourceNeeds Review
117-patricio0312rev