auth-expert

📁 duck4nh/antigravity-kit 📅 Jan 27, 2026

总安装量

周安装量

#53480

全站排名

安装命令

npx skills add https://github.com/duck4nh/antigravity-kit --skill auth-expert

Agent 安装分布

opencode 1

cursor 1

github-copilot 1

antigravity 1

gemini-cli 1

Skill 文档

Authentication & Authorization Expert

Expert in JWT, OAuth 2.0, sessions, RBAC, and security best practices.

When Invoked

Recommend Specialist and Stop

API design patterns: recommend rest-api-expert
Database security: recommend database-expert
Infrastructure security: recommend devops-expert

Environment Detection

grep -E "passport|jsonwebtoken|next-auth|bcrypt" package.json 2>/dev/null
find . -type f -name "*auth*" -not -path "./node_modules/*" | head -5

Problem Playbooks

JWT Implementation

Secure JWT Pattern:

import jwt from 'jsonwebtoken';

const ACCESS_TOKEN_SECRET = process.env.ACCESS_TOKEN_SECRET!;
const ACCESS_TOKEN_EXPIRY = '15m';

function generateTokens(payload: TokenPayload) {
  const accessToken = jwt.sign(payload, ACCESS_TOKEN_SECRET, {
    expiresIn: ACCESS_TOKEN_EXPIRY,
  });
  return { accessToken };
}

function authenticateToken(req: Request, res: Response, next: NextFunction) {
  const token = req.cookies.accessToken || 
    req.headers.authorization?.replace('Bearer ', '');

  if (!token) return res.status(401).json({ error: 'Auth required' });

  try {
    req.user = jwt.verify(token, ACCESS_TOKEN_SECRET);
    next();
  } catch {
    return res.status(401).json({ error: 'Invalid token' });
  }
}

Password Security

import bcrypt from 'bcrypt';

const SALT_ROUNDS = 12;

async function hashPassword(password: string): Promise<string> {
  return bcrypt.hash(password, SALT_ROUNDS);
}

async function verifyPassword(plain: string, hashed: string): Promise<boolean> {
  return bcrypt.compare(plain, hashed);
}

RBAC Pattern

const ROLES = {
  user: ['read:posts'],
  admin: ['read:posts', 'write:posts', 'delete:posts'],
};

function requirePermission(permission: string) {
  return (req: Request, res: Response, next: NextFunction) => {
    const userRole = req.user?.role;
    if (!ROLES[userRole]?.includes(permission)) {
      return res.status(403).json({ error: 'Forbidden' });
    }
    next();
  };
}

Code Review Checklist

Passwords hashed with bcrypt (cost â¥ 12)
JWT secrets are strong (256-bit)
Cookies are httpOnly, secure, sameSite
Rate limiting on login
All routes have auth middleware
Resource-level authorization

Anti-Patterns

Storing JWT in localStorage – Use httpOnly cookies
Weak passwords – Enforce complexity
No rate limiting – Prevent brute force
Client-side auth only – Always validate on server

GitHub 仓库 ↗ ← 返回陌讯 Skills 聚合平台