AgentSkillsCN

Auth

身份验证

SKILL.md

Authentication & Authorization Skill

Loaded by: BE-005 (Auth), BE-006 (RBAC) | Version: 1.0

Password Handling

  • Hash with bcrypt (cost >= 12) or argon2; NEVER store plaintext
  • NEVER log passwords; implement password complexity rules

JWT Tokens

  • Access tokens: 15-30 min expiry
  • Refresh tokens: 7-30 days, rotate on use
  • Minimal claims in payload; NEVER put sensitive data in JWT

Session Management

  • HTTP-only, Secure, SameSite cookies
  • Implement session invalidation and track active sessions

Pattern

python
from passlib.context import CryptContext
pwd_context = CryptContext(schemes=["bcrypt"], deprecated="auto")

def hash_password(password: str) -> str:
    return pwd_context.hash(password)

def verify_password(plain: str, hashed: str) -> bool:
    return pwd_context.verify(plain, hashed)

Anti-Patterns

  • Do NOT implement custom crypto
  • Do NOT store tokens in localStorage
  • Do NOT skip token validation on protected endpoints
  • Do NOT use MD5/SHA1 for passwords
  • Do NOT send tokens in URL parameters

Checklist

  • Passwords hashed with bcrypt/argon2
  • JWT expiry is short and reasonable
  • Refresh tokens rotate on use
  • No sensitive data in tokens
  • HTTPS enforced; brute force protection in place