Stats
Actions
Tags
'%20stop-opacity%3D'0.16'%2F%3E%3Cstop%20offset%3D'1'%20stop-color%3D'rgb(200%2C90%2C60)'%20stop-opacity%3D'0.03'%2F%3E%3C%2FlinearGradient%3E%3C%2Fdefs%3E%3Crect%20width%3D'320'%20height%3D'200'%20fill%3D'url(%23g)'%2F%3E%3Ccircle%20cx%3D'250'%20cy%3D'56'%20r%3D'92'%20fill%3D'rgb(200%2C90%2C60)'%20fill-opacity%3D'0.06'%2F%3E%3Ccircle%20cx%3D'64'%20cy%3D'172'%20r%3D'58'%20fill%3D'rgb(200%2C90%2C60)'%20fill-opacity%3D'0.05'%2F%3E%3C%2Fsvg%3E)
From ultrapowers-dev
Use when implementing authentication, authorization, or security controls — covering identity, access, and defense against common vulnerabilities.
How this skill is triggered — by the user, by Claude, or both
Slash command
/ultrapowers-dev:auth-securityThe summary Claude sees in its skill listing — used to decide when to auto-load this skill
Never roll your own crypto. Use proven libraries, follow established standards, and treat security as a constraint on every design decision — not an afterthought.
Never roll your own crypto. Use proven libraries, follow established standards, and treat security as a constraint on every design decision — not an afterthought.
| Concern | Question Answered | Examples |
|---|---|---|
| Authentication (AuthN) | Who are you? | Password, OAuth, MFA, SSO |
| Authorization (AuthZ) | What can you do? | RBAC, ABAC, policies, scopes |
Always authenticate first, then authorize. Never conflate the two.
| Strategy | Best For | Tradeoff |
|---|---|---|
| Session cookies | Server-rendered apps | Requires session store; built-in CSRF protection with SameSite |
| JWT (access token) | APIs, microservices | Stateless but irrevocable until expiry |
| JWT + refresh token | SPAs, mobile apps | Short-lived access (5-15 min), long-lived refresh (days) |
JWT rules: Keep payloads small. Never store secrets in claims. Always validate signature, issuer, audience, and expiration.
| Model | Mechanism | Use When |
|---|---|---|
| RBAC | Users have roles, roles have permissions | Clear organizational hierarchy |
| ABAC | Policies evaluate attributes (user, resource, context) | Complex, context-dependent rules |
| ReBAC | Permissions derived from relationships | Social graphs, document sharing |
Start with RBAC. Move to ABAC/ReBAC when RBAC role explosion becomes unmanageable.
| Vulnerability | Defense |
|---|---|
| Injection (SQL, NoSQL, OS) | Parameterized queries, never concatenate input |
| Broken authentication | MFA, rate-limit login, secure password hashing (bcrypt/argon2) |
| Sensitive data exposure | Encrypt at rest and in transit, minimize data collection |
| Broken access control | Check permissions server-side on every request |
| Security misconfiguration | Disable defaults, automate hardening, audit headers |
| XSS | Output-encode all user content, use CSP headers |
| CSRF | SameSite cookies, anti-CSRF tokens for state-changing requests |
| Mistake | Fix |
|---|---|
| Rolling custom password hashing | Use bcrypt, scrypt, or argon2 from a trusted library |
| Storing JWTs in localStorage | Use httpOnly, Secure, SameSite cookies |
| Checking permissions only in the UI | Enforce authorization server-side on every endpoint |
| Hardcoding secrets in source code | Use environment variables or a secrets manager |
| Missing rate limiting on auth endpoints | Rate-limit login, registration, and password reset |
Original — Datatide, MIT licensed.
npx claudepluginhub ennio-datatide/ultrapowers-devGuides implementation of authentication (JWT, OAuth2, sessions), authorization (RBAC), encryption, secrets management, CORS, and rate limiting with code examples and anti-pattern checks.
Analyzes auth mechanisms (passwords/sessions/JWT/OAuth/MFA) and authz patterns (RBAC/ABAC/ACL) for vulnerabilities like bypasses, hijacking, broken access control; reports with OWASP/NIST remediation.
Analyzes authentication and authorization patterns (OAuth2, JWT, RBAC/ABAC, MFA), audits security posture against OWASP, and recommends improvements for token lifecycle, permission models, and multi-factor authentication.