Name: Auth Implementation Patterns
Author: Wshobson
Install
Terminal · npx
$npx skills add https://github.com/wshobson/agents --skill auth-implementation-patterns
Works with Paperclip
How Auth Implementation Patterns fits into a Paperclip company.

Auth Implementation Patterns drops into any Paperclip agent that handles this kind of work. Assign it to a specialist inside a pre-configured PaperclipOrg company and the skill becomes available on every heartbeat — no prompt engineering, no tool wiring.
SaaS FactoryPaired
Pre-configured AI company — 18 agents, 18 skills, one-time purchase.
$27$59
Explore pack
Source file
SKILL.md638 linesmarkdown
Expand
1---2name: auth-implementation-patterns3description: Master authentication and authorization patterns including JWT, OAuth2, session management, and RBAC to build secure, scalable access control systems. Use when implementing auth systems, securing APIs, or debugging security issues.4---5 6# Authentication & Authorization Implementation Patterns7 8Build secure, scalable authentication and authorization systems using industry-standard patterns and modern best practices.9 10## When to Use This Skill11 12- Implementing user authentication systems13- Securing REST or GraphQL APIs14- Adding OAuth2/social login15- Implementing role-based access control (RBAC)16- Designing session management17- Migrating authentication systems18- Debugging auth issues19- Implementing SSO or multi-tenancy20 21## Core Concepts22 23### 1. Authentication vs Authorization24 25**Authentication (AuthN)**: Who are you?26 27- Verifying identity (username/password, OAuth, biometrics)28- Issuing credentials (sessions, tokens)29- Managing login/logout30 31**Authorization (AuthZ)**: What can you do?32 33- Permission checking34- Role-based access control (RBAC)35- Resource ownership validation36- Policy enforcement37 38### 2. Authentication Strategies39 40**Session-Based:**41 42- Server stores session state43- Session ID in cookie44- Traditional, simple, stateful45 46**Token-Based (JWT):**47 48- Stateless, self-contained49- Scales horizontally50- Can store claims51 52**OAuth2/OpenID Connect:**53 54- Delegate authentication55- Social login (Google, GitHub)56- Enterprise SSO57 58## JWT Authentication59 60### Pattern 1: JWT Implementation61 62```typescript63// JWT structure: header.payload.signature64import jwt from "jsonwebtoken";65import { Request, Response, NextFunction } from "express";66 67interface JWTPayload {68  userId: string;69  email: string;70  role: string;71  iat: number;72  exp: number;73}74 75// Generate JWT76function generateTokens(userId: string, email: string, role: string) {77  const accessToken = jwt.sign(78    { userId, email, role },79    process.env.JWT_SECRET!,80    { expiresIn: "15m" }, // Short-lived81  );82 83  const refreshToken = jwt.sign(84    { userId },85    process.env.JWT_REFRESH_SECRET!,86    { expiresIn: "7d" }, // Long-lived87  );88 89  return { accessToken, refreshToken };90}91 92// Verify JWT93function verifyToken(token: string): JWTPayload {94  try {95    return jwt.verify(token, process.env.JWT_SECRET!) as JWTPayload;96  } catch (error) {97    if (error instanceof jwt.TokenExpiredError) {98      throw new Error("Token expired");99    }100    if (error instanceof jwt.JsonWebTokenError) {101      throw new Error("Invalid token");102    }103    throw error;104  }105}106 107// Middleware108function authenticate(req: Request, res: Response, next: NextFunction) {109  const authHeader = req.headers.authorization;110  if (!authHeader?.startsWith("Bearer ")) {111    return res.status(401).json({ error: "No token provided" });112  }113 114  const token = authHeader.substring(7);115  try {116    const payload = verifyToken(token);117    req.user = payload; // Attach user to request118    next();119  } catch (error) {120    return res.status(401).json({ error: "Invalid token" });121  }122}123 124// Usage125app.get("/api/profile", authenticate, (req, res) => {126  res.json({ user: req.user });127});128```129 130### Pattern 2: Refresh Token Flow131 132```typescript133interface StoredRefreshToken {134  token: string;135  userId: string;136  expiresAt: Date;137  createdAt: Date;138}139 140class RefreshTokenService {141  // Store refresh token in database142  async storeRefreshToken(userId: string, refreshToken: string) {143    const expiresAt = new Date(Date.now() + 7 * 24 * 60 * 60 * 1000);144    await db.refreshTokens.create({145      token: await hash(refreshToken), // Hash before storing146      userId,147      expiresAt,148    });149  }150 151  // Refresh access token152  async refreshAccessToken(refreshToken: string) {153    // Verify refresh token154    let payload;155    try {156      payload = jwt.verify(refreshToken, process.env.JWT_REFRESH_SECRET!) as {157        userId: string;158      };159    } catch {160      throw new Error("Invalid refresh token");161    }162 163    // Check if token exists in database164    const storedToken = await db.refreshTokens.findOne({165      where: {166        token: await hash(refreshToken),167        userId: payload.userId,168        expiresAt: { $gt: new Date() },169      },170    });171 172    if (!storedToken) {173      throw new Error("Refresh token not found or expired");174    }175 176    // Get user177    const user = await db.users.findById(payload.userId);178    if (!user) {179      throw new Error("User not found");180    }181 182    // Generate new access token183    const accessToken = jwt.sign(184      { userId: user.id, email: user.email, role: user.role },185      process.env.JWT_SECRET!,186      { expiresIn: "15m" },187    );188 189    return { accessToken };190  }191 192  // Revoke refresh token (logout)193  async revokeRefreshToken(refreshToken: string) {194    await db.refreshTokens.deleteOne({195      token: await hash(refreshToken),196    });197  }198 199  // Revoke all user tokens (logout all devices)200  async revokeAllUserTokens(userId: string) {201    await db.refreshTokens.deleteMany({ userId });202  }203}204 205// API endpoints206app.post("/api/auth/refresh", async (req, res) => {207  const { refreshToken } = req.body;208  try {209    const { accessToken } =210      await refreshTokenService.refreshAccessToken(refreshToken);211    res.json({ accessToken });212  } catch (error) {213    res.status(401).json({ error: "Invalid refresh token" });214  }215});216 217app.post("/api/auth/logout", authenticate, async (req, res) => {218  const { refreshToken } = req.body;219  await refreshTokenService.revokeRefreshToken(refreshToken);220  res.json({ message: "Logged out successfully" });221});222```223 224## Session-Based Authentication225 226### Pattern 1: Express Session227 228```typescript229import session from "express-session";230import RedisStore from "connect-redis";231import { createClient } from "redis";232 233// Setup Redis for session storage234const redisClient = createClient({235  url: process.env.REDIS_URL,236});237await redisClient.connect();238 239app.use(240  session({241    store: new RedisStore({ client: redisClient }),242    secret: process.env.SESSION_SECRET!,243    resave: false,244    saveUninitialized: false,245    cookie: {246      secure: process.env.NODE_ENV === "production", // HTTPS only247      httpOnly: true, // No JavaScript access248      maxAge: 24 * 60 * 60 * 1000, // 24 hours249      sameSite: "strict", // CSRF protection250    },251  }),252);253 254// Login255app.post("/api/auth/login", async (req, res) => {256  const { email, password } = req.body;257 258  const user = await db.users.findOne({ email });259  if (!user || !(await verifyPassword(password, user.passwordHash))) {260    return res.status(401).json({ error: "Invalid credentials" });261  }262 263  // Store user in session264  req.session.userId = user.id;265  req.session.role = user.role;266 267  res.json({ user: { id: user.id, email: user.email, role: user.role } });268});269 270// Session middleware271function requireAuth(req: Request, res: Response, next: NextFunction) {272  if (!req.session.userId) {273    return res.status(401).json({ error: "Not authenticated" });274  }275  next();276}277 278// Protected route279app.get("/api/profile", requireAuth, async (req, res) => {280  const user = await db.users.findById(req.session.userId);281  res.json({ user });282});283 284// Logout285app.post("/api/auth/logout", (req, res) => {286  req.session.destroy((err) => {287    if (err) {288      return res.status(500).json({ error: "Logout failed" });289    }290    res.clearCookie("connect.sid");291    res.json({ message: "Logged out successfully" });292  });293});294```295 296## OAuth2 / Social Login297 298### Pattern 1: OAuth2 with Passport.js299 300```typescript301import passport from "passport";302import { Strategy as GoogleStrategy } from "passport-google-oauth20";303import { Strategy as GitHubStrategy } from "passport-github2";304 305// Google OAuth306passport.use(307  new GoogleStrategy(308    {309      clientID: process.env.GOOGLE_CLIENT_ID!,310      clientSecret: process.env.GOOGLE_CLIENT_SECRET!,311      callbackURL: "/api/auth/google/callback",312    },313    async (accessToken, refreshToken, profile, done) => {314      try {315        // Find or create user316        let user = await db.users.findOne({317          googleId: profile.id,318        });319 320        if (!user) {321          user = await db.users.create({322            googleId: profile.id,323            email: profile.emails?.[0]?.value,324            name: profile.displayName,325            avatar: profile.photos?.[0]?.value,326          });327        }328 329        return done(null, user);330      } catch (error) {331        return done(error, undefined);332      }333    },334  ),335);336 337// Routes338app.get(339  "/api/auth/google",340  passport.authenticate("google", {341    scope: ["profile", "email"],342  }),343);344 345app.get(346  "/api/auth/google/callback",347  passport.authenticate("google", { session: false }),348  (req, res) => {349    // Generate JWT350    const tokens = generateTokens(req.user.id, req.user.email, req.user.role);351    // Redirect to frontend with token352    res.redirect(353      `${process.env.FRONTEND_URL}/auth/callback?token=${tokens.accessToken}`,354    );355  },356);357```358 359## Authorization Patterns360 361### Pattern 1: Role-Based Access Control (RBAC)362 363```typescript364enum Role {365  USER = "user",366  MODERATOR = "moderator",367  ADMIN = "admin",368}369 370const roleHierarchy: Record<Role, Role[]> = {371  [Role.ADMIN]: [Role.ADMIN, Role.MODERATOR, Role.USER],372  [Role.MODERATOR]: [Role.MODERATOR, Role.USER],373  [Role.USER]: [Role.USER],374};375 376function hasRole(userRole: Role, requiredRole: Role): boolean {377  return roleHierarchy[userRole].includes(requiredRole);378}379 380// Middleware381function requireRole(...roles: Role[]) {382  return (req: Request, res: Response, next: NextFunction) => {383    if (!req.user) {384      return res.status(401).json({ error: "Not authenticated" });385    }386 387    if (!roles.some((role) => hasRole(req.user.role, role))) {388      return res.status(403).json({ error: "Insufficient permissions" });389    }390 391    next();392  };393}394 395// Usage396app.delete(397  "/api/users/:id",398  authenticate,399  requireRole(Role.ADMIN),400  async (req, res) => {401    // Only admins can delete users402    await db.users.delete(req.params.id);403    res.json({ message: "User deleted" });404  },405);406```407 408### Pattern 2: Permission-Based Access Control409 410```typescript411enum Permission {412  READ_USERS = "read:users",413  WRITE_USERS = "write:users",414  DELETE_USERS = "delete:users",415  READ_POSTS = "read:posts",416  WRITE_POSTS = "write:posts",417}418 419const rolePermissions: Record<Role, Permission[]> = {420  [Role.USER]: [Permission.READ_POSTS, Permission.WRITE_POSTS],421  [Role.MODERATOR]: [422    Permission.READ_POSTS,423    Permission.WRITE_POSTS,424    Permission.READ_USERS,425  ],426  [Role.ADMIN]: Object.values(Permission),427};428 429function hasPermission(userRole: Role, permission: Permission): boolean {430  return rolePermissions[userRole]?.includes(permission) ?? false;431}432 433function requirePermission(...permissions: Permission[]) {434  return (req: Request, res: Response, next: NextFunction) => {435    if (!req.user) {436      return res.status(401).json({ error: "Not authenticated" });437    }438 439    const hasAllPermissions = permissions.every((permission) =>440      hasPermission(req.user.role, permission),441    );442 443    if (!hasAllPermissions) {444      return res.status(403).json({ error: "Insufficient permissions" });445    }446 447    next();448  };449}450 451// Usage452app.get(453  "/api/users",454  authenticate,455  requirePermission(Permission.READ_USERS),456  async (req, res) => {457    const users = await db.users.findAll();458    res.json({ users });459  },460);461```462 463### Pattern 3: Resource Ownership464 465```typescript466// Check if user owns resource467async function requireOwnership(468  resourceType: "post" | "comment",469  resourceIdParam: string = "id",470) {471  return async (req: Request, res: Response, next: NextFunction) => {472    if (!req.user) {473      return res.status(401).json({ error: "Not authenticated" });474    }475 476    const resourceId = req.params[resourceIdParam];477 478    // Admins can access anything479    if (req.user.role === Role.ADMIN) {480      return next();481    }482 483    // Check ownership484    let resource;485    if (resourceType === "post") {486      resource = await db.posts.findById(resourceId);487    } else if (resourceType === "comment") {488      resource = await db.comments.findById(resourceId);489    }490 491    if (!resource) {492      return res.status(404).json({ error: "Resource not found" });493    }494 495    if (resource.userId !== req.user.userId) {496      return res.status(403).json({ error: "Not authorized" });497    }498 499    next();500  };501}502 503// Usage504app.put(505  "/api/posts/:id",506  authenticate,507  requireOwnership("post"),508  async (req, res) => {509    // User can only update their own posts510    const post = await db.posts.update(req.params.id, req.body);511    res.json({ post });512  },513);514```515 516## Security Best Practices517 518### Pattern 1: Password Security519 520```typescript521import bcrypt from "bcrypt";522import { z } from "zod";523 524// Password validation schema525const passwordSchema = z526  .string()527  .min(12, "Password must be at least 12 characters")528  .regex(/[A-Z]/, "Password must contain uppercase letter")529  .regex(/[a-z]/, "Password must contain lowercase letter")530  .regex(/[0-9]/, "Password must contain number")531  .regex(/[^A-Za-z0-9]/, "Password must contain special character");532 533// Hash password534async function hashPassword(password: string): Promise<string> {535  const saltRounds = 12; // 2^12 iterations536  return bcrypt.hash(password, saltRounds);537}538 539// Verify password540async function verifyPassword(541  password: string,542  hash: string,543): Promise<boolean> {544  return bcrypt.compare(password, hash);545}546 547// Registration with password validation548app.post("/api/auth/register", async (req, res) => {549  try {550    const { email, password } = req.body;551 552    // Validate password553    passwordSchema.parse(password);554 555    // Check if user exists556    const existingUser = await db.users.findOne({ email });557    if (existingUser) {558      return res.status(400).json({ error: "Email already registered" });559    }560 561    // Hash password562    const passwordHash = await hashPassword(password);563 564    // Create user565    const user = await db.users.create({566      email,567      passwordHash,568    });569 570    // Generate tokens571    const tokens = generateTokens(user.id, user.email, user.role);572 573    res.status(201).json({574      user: { id: user.id, email: user.email },575      ...tokens,576    });577  } catch (error) {578    if (error instanceof z.ZodError) {579      return res.status(400).json({ error: error.errors[0].message });580    }581    res.status(500).json({ error: "Registration failed" });582  }583});584```585 586### Pattern 2: Rate Limiting587 588```typescript589import rateLimit from "express-rate-limit";590import RedisStore from "rate-limit-redis";591 592// Login rate limiter593const loginLimiter = rateLimit({594  store: new RedisStore({ client: redisClient }),595  windowMs: 15 * 60 * 1000, // 15 minutes596  max: 5, // 5 attempts597  message: "Too many login attempts, please try again later",598  standardHeaders: true,599  legacyHeaders: false,600});601 602// API rate limiter603const apiLimiter = rateLimit({604  windowMs: 60 * 1000, // 1 minute605  max: 100, // 100 requests per minute606  standardHeaders: true,607});608 609// Apply to routes610app.post("/api/auth/login", loginLimiter, async (req, res) => {611  // Login logic612});613 614app.use("/api/", apiLimiter);615```616 617## Best Practices618 6191. **Never Store Plain Passwords**: Always hash with bcrypt/argon26202. **Use HTTPS**: Encrypt data in transit6213. **Short-Lived Access Tokens**: 15-30 minutes max6224. **Secure Cookies**: httpOnly, secure, sameSite flags6235. **Validate All Input**: Email format, password strength6246. **Rate Limit Auth Endpoints**: Prevent brute force attacks6257. **Implement CSRF Protection**: For session-based auth6268. **Rotate Secrets Regularly**: JWT secrets, session secrets6279. **Log Security Events**: Login attempts, failed auth62810. **Use MFA When Possible**: Extra security layer629 630## Common Pitfalls631 632- **Weak Passwords**: Enforce strong password policies633- **JWT in localStorage**: Vulnerable to XSS, use httpOnly cookies634- **No Token Expiration**: Tokens should expire635- **Client-Side Auth Checks Only**: Always validate server-side636- **Insecure Password Reset**: Use secure tokens with expiration637- **No Rate Limiting**: Vulnerable to brute force638- **Trusting Client Data**: Always validate on server
Related skills
Accessibility Compliance

This walks you through implementing proper WCAG 2.2 compliance with real code patterns for screen readers, keyboard navigation, and mobile accessibility. It cov
Airflow Dag Patterns

If you're building data pipelines with Airflow, this skill gives you production-ready DAG patterns that actually work in the real world. It covers TaskFlow API
Angular Migration

Migrating from AngularJS to Angular is notoriously painful, and this skill tackles the practical stuff that makes or breaks these projects. It covers hybrid app