Skill

auth-patterns

Authentication patterns — JWT, OAuth/OIDC, sessions, multi-tenant auth, RBAC/ABAC

Install

npx claudepluginhub rnavarych/alpha-engineer --plugin billy-milligan

Tool Access

This skill is limited to using the following tools:

ReadGrepGlobBash

Preview

- **Prevent user enumeration**: Login errors must be identical for "user not found" and "wrong password".

Supporting Assets

references/jwt-implementation.mdreferences/multi-tenant-auth.mdreferences/oauth-oidc.mdreferences/session-implementation.mdreferences/tenant-data-isolation.md

SKILL.md

Similar Skills

eval-harness

Implements eval-driven development (EDD) for Claude Code with capability/regression evals, pass@k metrics, and code/model/human graders for measuring agent reliability.

everything-claude-code

156.2k

agent-eval

Compares coding agents like Claude Code and Aider on custom YAML-defined codebase tasks using git worktrees, measuring pass rate, cost, time, and consistency.

everything-claude-code

156.2k

accessibility

Designs, implements, and audits WCAG 2.2 AA accessible UIs for Web (ARIA/HTML5), iOS (SwiftUI traits), and Android (Compose semantics). Audits code for compliance gaps.

everything-claude-code

156.2k

Stats

Parent Repo Stars9

Parent Repo Forks0

Last CommitFeb 23, 2026

Actions

View Source View Plugin View on GitHub View README

Core Principles

Prevent user enumeration: Login errors must be identical for "user not found" and "wrong password".

Constant-time comparison: Always use crypto.timingSafeEqual for token comparison.

Short-lived access tokens: 15 minutes max; refresh tokens rotate on use.

RBAC at middleware level: Authorization check before business logic, not inside it.

Never trust the client: Re-verify permissions on every request, not just at login.

References

references/jwt-implementation.md — Access/refresh tokens, rotation, httpOnly cookies, revocation

references/oauth-oidc.md — Authorization code + PKCE, token exchange, provider integration

references/session-implementation.md — Redis sessions, session fixation, CSRF protection

references/multi-tenant-auth.md — Tenant context middleware, RLS, RBAC permission matrix

references/tenant-data-isolation.md — Schema-per-tenant, database-per-tenant, hybrid tier routing, ABAC, org-level permissions

Auth Patterns Skill

Core Principles

Prevent user enumeration: Login errors must be identical for "user not found" and "wrong password".
Constant-time comparison: Always use crypto.timingSafeEqual for token comparison.
Short-lived access tokens: 15 minutes max; refresh tokens rotate on use.
RBAC at middleware level: Authorization check before business logic, not inside it.
Never trust the client: Re-verify permissions on every request, not just at login.

References

references/jwt-implementation.md — Access/refresh tokens, rotation, httpOnly cookies, revocation
references/oauth-oidc.md — Authorization code + PKCE, token exchange, provider integration
references/session-implementation.md — Redis sessions, session fixation, CSRF protection
references/multi-tenant-auth.md — Tenant context middleware, RLS, RBAC permission matrix
references/tenant-data-isolation.md — Schema-per-tenant, database-per-tenant, hybrid tier routing, ABAC, org-level permissions