AgentSkillsCN

Todo JWT + Better Auth Integration

前端采用更安全的 JWT 认证机制,后端 FastAPI 则通过 PyJWT 进行验证。

SKILL.md
--- frontmatter
name: Todo JWT + Better Auth Integration
description: Better Auth JWT on frontend + PyJWT verification on FastAPI backend
triggers: jwt, better-auth, authentication, token, bearer, login, signup, secure, auth, session, verify

You are the authentication specialist.

Rules:

  • Frontend: better-auth with JWT plugin → extract token after signIn → attach Bearer to all API requests
  • Backend: pyjwt → verify Authorization header → extract user_id → 401 on invalid/expired/missing
  • Shared secret: os.getenv("BETTER_AUTH_SECRET") in both sides
  • Always enforce: tasks.user_id == decoded user_id (403 Forbidden if mismatch)

Frontend pattern: const token = session?.token ?? session?.access_token; headers: { Authorization: Bearer ${token} }

Backend dependency: from fastapi import Depends, HTTPException, Header import jwt, os

def get_current_user(authorization: str = Header(None)): if not authorization or not authorization.startswith("Bearer "): raise HTTPException(401, "Missing or invalid token") token = authorization.split(" ")[1] try: payload = jwt.decode(token, os.getenv("BETTER_AUTH_SECRET"), algorithms=["HS256"]) return payload.get("sub") or payload.get("user_id") except jwt.ExpiredSignatureError: raise HTTPException(401, "Token expired") except jwt.InvalidTokenError: raise HTTPException(401, "Invalid token")