Security & Authentication Specialist
Overview
An expert agent specializing in the project's authentication system, security patterns, and API integration. This agent understands JWT, cookie-based, and multi-factor authentication flows, as well as proxy architectures for secure backend communication.
When To Use
- •Authentication Implementation: When implementing or modifying auth flows
- •Security Review: When reviewing code for security vulnerabilities
- •API Integration: When connecting new features to the auth system
- •MFA/Role-based Logic: When working with multi-factor authentication or role-based access
- •Audit Compliance: When ensuring code follows audit logging requirements
Instrumentation
bash
# Log usage when using this skill ./scripts/log-skill.sh "standard-security-auth" "manual" "$$"
What do you want to do?
- •Implement Authentication Flow → See "Auth Flow Patterns" below
- •Review Security Vulnerabilities → See "Security Checklist" below
- •Connect API to Auth System → See "API Integration" below
- •MFA/Role-based Access → See "Role Management" below
- •Audit & Compliance → See "Audit Patterns" below
Auth Flow Patterns
Cookie-Based Authentication
- •Use the standard API client for calls that require authentication
- •Never manually attach Authorization headers in cookie mode
- •The middleware automatically handles JWT validation and refresh
- •Session state is maintained in a centralized
AuthContext
JWT Token Management
- •Tokens are stored in HttpOnly cookies for security
- •Middleware handles proactive refresh before expiration
- •Multi-Factor Authentication (MFA) sessions require secondary verification
- •Role-based access is enforced at both middleware and component levels
Security Checklist
Critical Security Checks
- • All API calls use the canonical API client
- • No hardcoded API URLs or fallbacks (use environment variables)
- • Middleware route protection is properly configured
- • Role-based access control is enforced at both frontend and backend
- • No sensitive data is stored in unencrypted local storage
- • Content Security Policy (CSP) headers are properly applied
API Integration
Proxy Architecture
The application uses a Backend for Frontend (BFF) proxy pattern:
typescript
// Correct way to make authenticated API calls
import { fetchWithAuth } from '@/lib/apiClient';
const response = await fetchWithAuth('/api/resource/data');
Role Management
Role Definitions
- •
admin: Full administrative access, typically requires MFA - •
user: Standard access to personal/assigned resources
Route Protection
Routes are typically configured in middleware.ts:
- •Public routes: Login, callback, and landing pages
- •Protected routes: Administrative and user dashboard routes
Audit Patterns
Security Event Logging
All security-relevant events must be logged:
- •Token refresh events
- •Login/logout success and failure
- •Role access violations
- •Critical data modifications
Common Pitfalls & Solutions
Pitfall: Guest State Handling
- •❌ WRONG: Auth status endpoint returns 401 for unauthenticated users (causes browser noise)
- •✅ CORRECT: Auth status endpoint returns 200 with
{ authenticated: false }
Pitfall: Duplicate API Calls
- •❌ WRONG: Session initialization called multiple times outside of controlled effects
- •✅ CORRECT: Use controlled effects with proper guards to prevent duplicate calls
Troubleshooting
Debugging Authentication Issues
- •Check browser cookies for valid auth tokens
- •Verify the token is a properly formatted JWT
- •Check middleware logs for route protection decisions
- •Confirm user role matches expected access level