AgentSkillsCN

Auth Integration

身份验证集成

SKILL.md

Authentication Integration Generator

Critical for Phases: II, III, IV, V

Generates authentication middleware, JWT validation, and user extraction for FastAPI.

Usage

code
/gen.auth-integration <provider> <backend-framework>

# Examples:
/gen.auth-integration "better-auth" "fastapi"
/gen.auth-integration "jwt" "fastapi"

What It Generates

  • Authentication middleware for FastAPI
  • JWT token validation logic
  • User extraction dependency
  • Password hashing utilities
  • Token generation and refresh
  • Protected route decorators
  • Session management
  • OAuth integration (if applicable)

Output Structure

code
phase-XX/src/auth/
  ├── middleware.py        # Auth middleware
  ├── jwt_handler.py      # JWT token logic
  ├── password.py          # Password hashing
  ├── dependencies.py      # FastAPI deps
  └── models.py          # Auth models (Token, User)

Features

  • JWT token generation and validation
  • Password hashing with bcrypt
  • Token refresh mechanism
  • CORS configuration
  • Protected route decorators
  • User session management
  • OAuth 2.0 support (optional)
  • Rate limiting per user
  • Token expiration handling

Phase Usage

  • Phase II: JWT auth for API
  • Phase II: User registration/login endpoints
  • Phase III: Auth for chat endpoints
  • Phase III: Session management for AI conversations
  • Phase IV-V: Auth in K8s secrets

Example Output

python
from datetime import datetime, timedelta
from typing import Optional
from fastapi import Depends, HTTPException, status
from fastapi.security import HTTPBearer
from jose import JWTError, jwt
from passlib.context import CryptContext
import bcrypt

# Password hashing
pwd_context = CryptContext(schemes=["bcrypt"], deprecated="auto")

SECRET_KEY = os.getenv("JWT_SECRET")
ALGORITHM = "HS256"
ACCESS_TOKEN_EXPIRE_MINUTES = 30

def hash_password(password: str) -> str:
    """Hash password using bcrypt."""
    return pwd_context.hash(password)

def verify_password(plain_password: str, hashed_password: str) -> bool:
    """Verify password against hash."""
    return pwd_context.verify(plain_password, hashed_password)

def create_access_token(data: dict, expires_delta: Optional[timedelta] = None):
    """Create JWT access token."""
    to_encode = data.copy()
    if expires_delta:
        expire = datetime.utcnow() + expires_delta
    else:
        expire = datetime.utcnow() + timedelta(minutes=15)

    to_encode.update({"exp": expire})
    encoded_jwt = jwt.encode(to_encode, SECRET_KEY, algorithm=ALGORITHM)
    return encoded_jwt

# FastAPI dependency for protected routes
security = HTTPBearer()

async def get_current_user(
    credentials: HTTPAuthorizationCredentials = Depends(security),
    session: Session = Depends(get_session)
):
    """Extract and validate user from JWT token."""
    credentials_exception = HTTPException(
        status_code=status.HTTP_401_UNAUTHORIZED,
        detail="Could not validate credentials",
        headers={"WWW-Authenticate": "Bearer"},
    )

    try:
        token = credentials.credentials
        payload = jwt.decode(token, SECRET_KEY, algorithms=[ALGORITHM])
        user_id: str = payload.get("sub")
        if user_id is None:
            raise credentials_exception

    except JWTError:
        raise credentials_exception

    user = session.get(User, user_id)
    if user is None:
        raise credentials_exception

    return user

# Usage in endpoints
@router.post("/protected-endpoint")
async def protected_route(
    current_user: User = Depends(get_current_user)
):
    """Endpoint protected by JWT authentication."""
    return {"user_id": current_user.id, "email": current_user.email}

Auth Endpoints Generated

code
POST   /api/v1/auth/register    - Register new user
POST   /api/v1/auth/login       - Login and get token
POST   /api/v1/auth/refresh     - Refresh access token
POST   /api/v1/auth/logout      - Logout (invalidate token)
GET     /api/v1/auth/me          - Get current user profile
PUT     /api/v1/auth/me          - Update profile

Security Features

  • Password Security: bcrypt hashing with salt
  • JWT Security: Short-lived tokens, secret rotation
  • Token Storage: HttpOnly cookies (optional)
  • Rate Limiting: Prevent brute force
  • Session Management: Invalidate tokens on logout
  • HTTPS Enforcement: Production only
  • CORS: Configured for frontend domain

Configuration (environment variables)

bash
JWT_SECRET=your-secret-key-here
JWT_ALGORITHM=HS256
ACCESS_TOKEN_EXPIRE_MINUTES=30
REFRESH_TOKEN_EXPIRE_DAYS=7
BCRYPT_ROUNDS=12

Best Practices

  • Never log passwords or tokens
  • Use environment variables for secrets
  • Implement rate limiting on auth endpoints
  • Validate email format
  • Strong password requirements (min 8 chars, mixed case, numbers)
  • Token expiration (15-30 minutes for access tokens)
  • Refresh token rotation
  • Secure HttpOnly cookies for tokens