Security Auth Skill

Authentication and authorization patterns for secure applications.

Quick Reference

Authentication Methods

Method	Use Case	Security Level
JWT + Refresh	SPAs, Mobile apps	High
Session cookies	Traditional web apps	High
OAuth2/OIDC	Social login, SSO	High
API Keys	Service-to-service	Medium
MFA	High-security apps	Very High

Authorization Patterns

Pattern	Use Case	Complexity
RBAC	Most applications	Low-Medium
ABAC	Fine-grained control	High
ReBAC	Relationship-based	Medium
Permission Matrix	Admin panels	Low

JWT Token Service

export class TokenService {
  private readonly accessExpiry = '15m';   // Short-lived
  private readonly refreshExpiry = '7d';   // Rotate on use

  generateTokenPair(user: User): TokenPair {
    const accessToken = jwt.sign(
      { sub: user.id, type: 'access' },
      this.accessSecret,
      { expiresIn: this.accessExpiry }
    );

    const refreshToken = jwt.sign(
      { sub: user.id, type: 'refresh' },
      this.refreshSecret,
      { expiresIn: this.refreshExpiry }
    );

    return { accessToken, refreshToken };
  }
}

Password Hashing

import bcrypt from 'bcrypt';

// Hash password (cost factor 12)
const hash = await bcrypt.hash(password, 12);

// Verify password
const isValid = await bcrypt.verify(password, hash);

RBAC Guard (NestJS)

@Injectable()
export class RolesGuard implements CanActivate {
  constructor(private reflector: Reflector) {}

  canActivate(context: ExecutionContext): boolean {
    const requiredRoles = this.reflector.getAllAndOverride<Role[]>(
      ROLES_KEY, [context.getHandler(), context.getClass()]
    );
    if (!requiredRoles) return true;
    const { user } = context.switchToHttp().getRequest();
    return requiredRoles.some(role => user.roles?.includes(role));
  }
}

OAuth2/OIDC Flow

// Passport OAuth2 Strategy
passport.use(new OAuth2Strategy({
  authorizationURL: 'https://provider.com/oauth2/authorize',
  tokenURL: 'https://provider.com/oauth2/token',
  clientID: process.env.CLIENT_ID,
  clientSecret: process.env.CLIENT_SECRET,
  callbackURL: '/auth/callback',
}, (accessToken, refreshToken, profile, done) => {
  return done(null, profile);
}));

Anti-Patterns

// Storing passwords in plain text
user.password = plainPassword; // NEVER DO THIS

// Missing rate limiting on auth
app.post('/login', loginHandler); // ADD RATE LIMITING

// Long-lived access tokens
{ expiresIn: '30d' } // TOO LONG - use 15m max

F5 Quality Gates

Gate	Requirement
G2	Auth requirements documented
G2.5	Auth controls implemented
G3	Auth tests passing (90%+ coverage)

security-auth

Security Auth Skill

Quick Reference

Authentication Methods

Authorization Patterns

JWT Token Service

Password Hashing

RBAC Guard (NestJS)

OAuth2/OIDC Flow

Anti-Patterns

F5 Quality Gates