AgentSkillsCN

security-auth

安全访问控制的认证与授权模式。 适用场景:(1) 实现JWT认证;(2) 集成OAuth2/OIDC;(3) 构建RBAC/ABAC系统;(4) 进行会话管理;(5) 实施多因素认证(MFA)。 自动识别:auth、jwt、oauth、oidc、rbac、abac、permission、session、token、refresh、login、password、mfa、2fa。

SKILL.md
--- frontmatter
name: security-auth
version: "1.0.0"
description: |
  Authentication and authorization patterns for secure access control.

  Use when: (1) Implementing JWT authentication, (2) OAuth2/OIDC integration,
  (3) Building RBAC/ABAC systems, (4) Session management, (5) MFA implementation.

  Auto-detects: auth, jwt, oauth, oidc, rbac, abac, permission, session,
  token, refresh, login, password, mfa, 2fa
related:
  - security
  - security-infra
  - api-design

Security Auth Skill

Authentication and authorization patterns for secure applications.

Quick Reference

Authentication Methods

MethodUse CaseSecurity Level
JWT + RefreshSPAs, Mobile appsHigh
Session cookiesTraditional web appsHigh
OAuth2/OIDCSocial login, SSOHigh
API KeysService-to-serviceMedium
MFAHigh-security appsVery High

Authorization Patterns

PatternUse CaseComplexity
RBACMost applicationsLow-Medium
ABACFine-grained controlHigh
ReBACRelationship-basedMedium
Permission MatrixAdmin panelsLow

JWT Token Service

typescript
export class TokenService {
  private readonly accessExpiry = '15m';   // Short-lived
  private readonly refreshExpiry = '7d';   // Rotate on use

  generateTokenPair(user: User): TokenPair {
    const accessToken = jwt.sign(
      { sub: user.id, type: 'access' },
      this.accessSecret,
      { expiresIn: this.accessExpiry }
    );

    const refreshToken = jwt.sign(
      { sub: user.id, type: 'refresh' },
      this.refreshSecret,
      { expiresIn: this.refreshExpiry }
    );

    return { accessToken, refreshToken };
  }
}

Password Hashing

typescript
import bcrypt from 'bcrypt';

// Hash password (cost factor 12)
const hash = await bcrypt.hash(password, 12);

// Verify password
const isValid = await bcrypt.verify(password, hash);

RBAC Guard (NestJS)

typescript
@Injectable()
export class RolesGuard implements CanActivate {
  constructor(private reflector: Reflector) {}

  canActivate(context: ExecutionContext): boolean {
    const requiredRoles = this.reflector.getAllAndOverride<Role[]>(
      ROLES_KEY, [context.getHandler(), context.getClass()]
    );
    if (!requiredRoles) return true;
    const { user } = context.switchToHttp().getRequest();
    return requiredRoles.some(role => user.roles?.includes(role));
  }
}

OAuth2/OIDC Flow

typescript
// Passport OAuth2 Strategy
passport.use(new OAuth2Strategy({
  authorizationURL: 'https://provider.com/oauth2/authorize',
  tokenURL: 'https://provider.com/oauth2/token',
  clientID: process.env.CLIENT_ID,
  clientSecret: process.env.CLIENT_SECRET,
  callbackURL: '/auth/callback',
}, (accessToken, refreshToken, profile, done) => {
  return done(null, profile);
}));

Anti-Patterns

typescript
// Storing passwords in plain text
user.password = plainPassword; // NEVER DO THIS

// Missing rate limiting on auth
app.post('/login', loginHandler); // ADD RATE LIMITING

// Long-lived access tokens
{ expiresIn: '30d' } // TOO LONG - use 15m max

F5 Quality Gates

GateRequirement
G2Auth requirements documented
G2.5Auth controls implemented
G3Auth tests passing (90%+ coverage)