PluginBench
Skill
Pass
Audit score 90

auth-implementation-patterns

wshobson/agents

Master JWT, OAuth2, session management, and RBAC patterns for secure, scalable authentication systems.

What is auth-implementation-patterns?

This skill teaches industry-standard authentication and authorization patterns including session-based auth, token-based JWT, OAuth2/OpenID Connect, and role-based access control (RBAC). Use it when implementing user authentication, securing APIs, adding social login, designing access control, or debugging security issues.

  • Implement session-based authentication with secure cookie management
  • Design and deploy JWT token-based authentication systems
  • Integrate OAuth2 and OpenID Connect for social/enterprise login
  • Build role-based access control (RBAC) and permission systems
  • Secure REST and GraphQL APIs with proper auth patterns
  • Implement password hashing, token expiration, and credential rotation

How to install auth-implementation-patterns

npx skills add https://github.com/wshobson/agents --skill auth-implementation-patterns
Claude Code
Cursor
Windsurf
Cline

How to use auth-implementation-patterns

  1. 1.Review the core concepts section to understand AuthN vs AuthZ distinctions
  2. 2.Choose an authentication strategy (session-based, JWT, or OAuth2) based on your use case
  3. 3.Read detailed pattern documentation in references/details.md for implementation specifics
  4. 4.Apply best practices: hash passwords with bcrypt/argon2, use HTTPS, set short token expiration, secure cookies with httpOnly/secure/sameSite flags
  5. 5.Implement server-side validation, rate limiting on auth endpoints, and CSRF protection for session auth
  6. 6.Add security event logging and consider MFA for sensitive applications

Use cases

Good for
  • Building a user login system with session or JWT tokens
  • Adding Google/GitHub OAuth2 social login to an application
  • Implementing role-based permissions for multi-user SaaS platforms
  • Securing a REST API with token-based authentication
  • Designing SSO or multi-tenant authentication architecture
Who it's for
  • Backend engineers building authentication systems
  • Full-stack developers securing APIs and user access
  • Security-focused developers implementing access control
  • DevOps/platform engineers designing enterprise auth
  • Developers migrating or refactoring existing auth systems

auth-implementation-patterns FAQ

Should I use sessions or JWT tokens?

Sessions are simpler and stateful (good for monoliths); JWT is stateless and scales horizontally (good for microservices). Sessions are more secure by default; JWT requires careful handling (use httpOnly cookies, not localStorage).

How do I prevent brute force attacks on login?

Implement rate limiting on authentication endpoints, use exponential backoff for failed attempts, and log all login attempts. Consider CAPTCHA after multiple failures.

What's the difference between OAuth2 and OpenID Connect?

OAuth2 is for authorization (delegated access); OpenID Connect adds authentication on top of OAuth2 for identity verification. Use OIDC when you need both auth and user info.

How long should access tokens be valid?

Keep access tokens short-lived (15-30 minutes max). Use refresh tokens (longer-lived, rotated) to obtain new access tokens without re-authentication.

Where should I store JWT tokens in the browser?

Use httpOnly cookies (secure against XSS). Avoid localStorage as it's vulnerable to XSS attacks. Set secure and sameSite flags on cookies.

Full instructions (SKILL.md)

Source of truth, from wshobson/agents.


name: auth-implementation-patterns description: Master authentication and authorization patterns including JWT, OAuth2, session management, and RBAC to build secure, scalable access control systems. Use when implementing auth systems, securing APIs, or debugging security issues.

Authentication & Authorization Implementation Patterns

Build secure, scalable authentication and authorization systems using industry-standard patterns and modern best practices.

When to Use This Skill

  • Implementing user authentication systems
  • Securing REST or GraphQL APIs
  • Adding OAuth2/social login
  • Implementing role-based access control (RBAC)
  • Designing session management
  • Migrating authentication systems
  • Debugging auth issues
  • Implementing SSO or multi-tenancy

Core Concepts

1. Authentication vs Authorization

Authentication (AuthN): Who are you?

  • Verifying identity (username/password, OAuth, biometrics)
  • Issuing credentials (sessions, tokens)
  • Managing login/logout

Authorization (AuthZ): What can you do?

  • Permission checking
  • Role-based access control (RBAC)
  • Resource ownership validation
  • Policy enforcement

2. Authentication Strategies

Session-Based:

  • Server stores session state
  • Session ID in cookie
  • Traditional, simple, stateful

Token-Based (JWT):

  • Stateless, self-contained
  • Scales horizontally
  • Can store claims

OAuth2/OpenID Connect:

  • Delegate authentication
  • Social login (Google, GitHub)
  • Enterprise SSO

Detailed patterns and worked examples

Detailed pattern documentation lives in references/details.md. Read that file when the navigation tier above is insufficient.

Best Practices

  1. Never Store Plain Passwords: Always hash with bcrypt/argon2
  2. Use HTTPS: Encrypt data in transit
  3. Short-Lived Access Tokens: 15-30 minutes max
  4. Secure Cookies: httpOnly, secure, sameSite flags
  5. Validate All Input: Email format, password strength
  6. Rate Limit Auth Endpoints: Prevent brute force attacks
  7. Implement CSRF Protection: For session-based auth
  8. Rotate Secrets Regularly: JWT secrets, session secrets
  9. Log Security Events: Login attempts, failed auth
  10. Use MFA When Possible: Extra security layer

Common Pitfalls

  • Weak Passwords: Enforce strong password policies
  • JWT in localStorage: Vulnerable to XSS, use httpOnly cookies
  • No Token Expiration: Tokens should expire
  • Client-Side Auth Checks Only: Always validate server-side
  • Insecure Password Reset: Use secure tokens with expiration
  • No Rate Limiting: Vulnerable to brute force
  • Trusting Client Data: Always validate on server