技能概览
先看适用场景、限制条件和安装路径,再决定是否继续深入。
安装 Auth Patterns,这是一款面向AI agent workflows and automation的 AI Agent Skill。查看功能、使用场景、限制条件与安装命令。
核心价值
推荐说明: auth-patterns helps agents authentication patterns. landing 2512 # Authentication Patterns Authoritative security patterns for implementing authentication and authorization systems.
适用 Agent 类型
适用场景: authentication patterns.
↓ 赋予的主要能力 · Auth Patterns
! 使用限制与门槛
- 限制说明: HTTPS only - Prevent token interception
- 限制说明: Requires repository-specific context from the skill documentation
- 限制说明: Works best when the underlying tools and dependencies are already configured
! 来源说明
此页面仍可作为安装与查阅参考。继续使用前,请结合上方适用场景、限制条件和上游仓库说明一起判断。
Authentication Patterns
Authoritative security patterns for implementing authentication and authorization systems. Based on OWASP, RFC standards, and industry best practices.
Sources: OWASP Cheat Sheets, RFC 7519 (JWT), RFC 8725 (JWT BCP), RFC 6749 (OAuth 2.0), OpenID Connect Core 1.0
JWT (JSON Web Tokens)
Structure (RFC 7519)
Header.Payload.Signature - URL-safe, digitally signed claims transferred between parties.
Critical Security (RFC 8725)
- Always validate algorithm - Never trust
alg: "none", enforce cryptographic validation - Validate critical claims -
exp(expiration),aud(audience),iss(issuer) are mandatory - Short-lived access tokens - 10-15 minutes maximum
- Never store sensitive data - JWTs are encoded, not encrypted
- HTTPS only - Prevent token interception
Implementation
typescript1// Signing with RS256 (asymmetric preferred over HS256) 2const payload = { userId: user.id, exp: Math.floor(Date.now() / 1000) + 900 }; // 15min 3const token = jwt.sign(payload, privateKey, { algorithm: 'RS256', issuer: 'app', audience: 'users' }); 4 5// Verification 6const decoded = jwt.verify(token, publicKey, { issuer: 'app', audience: 'users' });
For comprehensive JWT guidance: See references/jwt-best-practices.md for signing algorithms (RS256, ES256, HS256), token storage strategies, refresh patterns, revocation techniques, and vulnerability mitigations.
Token Refresh with Rotation
Best Practices (Auth0, 2026)
- Single-use refresh tokens - Each refresh generates new access + refresh token pair, invalidates old refresh token
- Reuse detection - If revoked token used, revoke ALL tokens for user (security breach indicator)
- Token families - Track token lineage via
jticlaim for granular revocation - Storage - httpOnly cookies (web), secure storage (mobile), NEVER localStorage
Lifetimes
- Access: 10-15 minutes
- Refresh: 30-90 days with sliding expiration
OAuth 2.0 & OpenID Connect
OAuth 2.0 (RFC 6749)
Authorization framework for third-party limited access. Four roles: resource owner, client, authorization server, resource server.
OpenID Connect Core 1.0
Identity layer on OAuth 2.0. Adds ID Token (JWT) with user authentication info and UserInfo endpoint.
Authorization Code Flow with PKCE (Recommended)
1. Generate code_verifier (43-128 chars), code_challenge = SHA256(verifier)
2. Redirect to /authorize with client_id, redirect_uri, code_challenge, state
3. User authorizes, receives authorization code
4. Exchange code + code_verifier for tokens at /token endpoint
5. Receive access_token, refresh_token, id_token (OIDC)
PKCE critical for public clients (SPAs, mobile) - prevents authorization code interception.
For detailed OAuth implementation: See references/oauth-flows.md for complete step-by-step PKCE flow, state parameter CSRF protection, redirect URI validation, scope management, client credentials flow, OpenID Connect ID token validation, and security best practices.
Password Security
Hashing (OWASP Password Storage)
typescript1import bcrypt from 'bcrypt'; 2const hash = await bcrypt.hash(password, 12); // 12+ rounds (13-14 for 2026) 3const valid = await bcrypt.compare(password, hash);
- bcrypt cost factor - Minimum 12 rounds, 13-14 recommended for 2026
- 72 byte limit - bcrypt truncates at 72 bytes, enforce this limit
- Argon2id preferred - OWASP first choice (2023+), bcrypt for legacy systems
- Never truncate silently - Reject passwords >72 bytes or use Argon2id
Password Policy (OWASP Authentication)
- Minimum 8 characters (12+ recommended)
- No complexity requirements - Allow all characters (unicode, spaces)
- No periodic changes - Encourage strong passwords + MFA instead (NIST guideline)
- Check breach databases - Reject passwords in haveibeenpwned.com
For in-depth password security: See references/owasp-auth.md for Argon2id vs bcrypt comparison, password policy guidelines, breach database integration, session management, account lockout strategies, MFA implementation (TOTP, WebAuthn), and common authentication vulnerabilities.
Multi-Factor Authentication (MFA)
OWASP MFA Requirements
- Independent factors - Password + PIN is NOT MFA (both knowledge factors)
- MFA effectiveness - Stops 99.9% of account compromises (Microsoft analysis)
- Modern standards - FIDO2 Passkeys, WebAuthn for biometric authentication
- Risk-based - Require MFA for high-risk actions (new device, suspicious location)
Implementation
- TOTP (Time-based One-Time Password) - RFC 6238, 6-digit codes, 30s window
- WebAuthn - Public key cryptography, hardware tokens, biometrics
- SMS (fallback only) - Vulnerable to SIM swapping, not recommended as primary
For complete MFA implementation: See references/owasp-auth.md for TOTP enrollment and verification code examples, WebAuthn/FIDO2 registration and authentication flows, recovery code generation, and MFA factor categories.
Session Management
Secure Cookie Configuration (OWASP)
typescript1res.cookie('__Host-session', token, { 2 httpOnly: true, // Prevents XSS access 3 secure: true, // HTTPS only 4 sameSite: 'strict', // CSRF protection (use 'lax' if external links needed) 5 maxAge: 3600000, // 1 hour 6 path: '/' 7});
Cookie prefix __Host- enforces secure, path=/, no domain (prevents subdomain attacks).
Session Storage
- Redis/Memcached for distributed systems
- Database for persistent sessions
- Regenerate session ID after login (prevent fixation)
For detailed session security: See references/owasp-auth.md for session ID generation with cryptographic randomness, session lifecycle management (creation, regeneration, validation), cookie security prefixes (__Host- vs __Secure-), and session fixation attack prevention.
Authorization (RBAC)
Role-Based Access Control
typescript1interface Permission { resource: string; action: string; } 2const roles = { 3 admin: [{ resource: '*', action: '*' }], 4 editor: [{ resource: 'posts', action: 'write' }], 5 viewer: [{ resource: 'posts', action: 'read' }] 6}; 7 8// Middleware 9function requirePermission(resource: string, action: string) { 10 return (req, res, next) => { 11 const hasAccess = req.user.roles.some(r => 12 roles[r].some(p => (p.resource === '*' || p.resource === resource) && 13 (p.action === '*' || p.action === action)) 14 ); 15 if (!hasAccess) return res.status(403).json({ error: 'Forbidden' }); 16 next(); 17 }; 18}
Implementation Best Practices
- Start with clear role definitions tied to business functions
- Automate provisioning (HR system integration)
- Implement in phases, don't aim for 100% coverage initially
- Review and audit regularly
Security Checklist
Before Production
- No hardcoded secrets (use env vars)
- All passwords hashed with bcrypt 12+ or Argon2id
- JWT algorithm validation enforced
- Tokens transmitted over HTTPS only
- httpOnly, secure, sameSite=strict cookies
- Rate limiting on auth endpoints (5 attempts/15min)
- Account lockout after failed attempts
- MFA available for sensitive operations
- Session regeneration after privilege escalation
- Generic error messages (no credential enumeration)
Templates
Code templates for this domain (in templates/):
guard.ts.template— Route protection and authorization guards
Resources
- OWASP Authentication Cheat Sheet
- OWASP Session Management Cheat Sheet
- OWASP Multifactor Authentication Cheat Sheet
- OWASP Password Storage Cheat Sheet
- RFC 7519: JSON Web Token
- RFC 8725: JWT Best Current Practices
- RFC 6749: OAuth 2.0 Authorization Framework
- OpenID Connect Core 1.0
- Auth0: Refresh Token Rotation
