ReddRadar
Agent skill
auth-expert
Authentication and authorization expert specializing in JWT, OAuth 2.0, session management, RBAC, password security. Use for auth implementation, token management, or security issues.
Install this agent skill to your Project
npx add-skill https://github.com/cin12211/orca-q/tree/main/.agent/skills/auth-expert
SKILL.md
Authentication & Authorization Expert
Expert in JWT, OAuth 2.0, sessions, RBAC, and security best practices.
When Invoked
Recommend Specialist and Stop
- API design patterns: recommend rest-api-expert
- Database security: recommend database-expert
- Infrastructure security: recommend devops-expert
Environment Detection
grep -E "passport|jsonwebtoken|next-auth|bcrypt" package.json 2>/dev/null
find . -type f -name "*auth*" -not -path "./node_modules/*" | head -5
Problem Playbooks
JWT Implementation
Secure JWT Pattern:
import jwt from 'jsonwebtoken';
const ACCESS_TOKEN_SECRET = process.env.ACCESS_TOKEN_SECRET!;
const ACCESS_TOKEN_EXPIRY = '15m';
function generateTokens(payload: TokenPayload) {
const accessToken = jwt.sign(payload, ACCESS_TOKEN_SECRET, {
expiresIn: ACCESS_TOKEN_EXPIRY,
});
return { accessToken };
}
function authenticateToken(req: Request, res: Response, next: NextFunction) {
const token = req.cookies.accessToken ||
req.headers.authorization?.replace('Bearer ', '');
if (!token) return res.status(401).json({ error: 'Auth required' });
try {
req.user = jwt.verify(token, ACCESS_TOKEN_SECRET);
next();
} catch {
return res.status(401).json({ error: 'Invalid token' });
}
}
Password Security
import bcrypt from 'bcrypt';
const SALT_ROUNDS = 12;
async function hashPassword(password: string): Promise<string> {
return bcrypt.hash(password, SALT_ROUNDS);
}
async function verifyPassword(plain: string, hashed: string): Promise<boolean> {
return bcrypt.compare(plain, hashed);
}
RBAC Pattern
const ROLES = {
user: ['read:posts'],
admin: ['read:posts', 'write:posts', 'delete:posts'],
};
function requirePermission(permission: string) {
return (req: Request, res: Response, next: NextFunction) => {
const userRole = req.user?.role;
if (!ROLES[userRole]?.includes(permission)) {
return res.status(403).json({ error: 'Forbidden' });
}
next();
};
}
Code Review Checklist
- Passwords hashed with bcrypt (cost ≥ 12)
- JWT secrets are strong (256-bit)
- Cookies are httpOnly, secure, sameSite
- Rate limiting on login
- All routes have auth middleware
- Resource-level authorization
Anti-Patterns
- Storing JWT in localStorage - Use httpOnly cookies
- Weak passwords - Enforce complexity
- No rate limiting - Prevent brute force
- Client-side auth only - Always validate on server
Recommended Agent Skills
Expand your agent's capabilities with these related and highly-rated skills.
cin12211/orca-q
primary-sidebar
Complete guide for adding, updating, and removing tabs in the Primary Sidebar of OrcaQ. Covers the full flow — ActivityBarItemType enum → useActivityBarStore → PrimarySideBar component → Management panel component. Load this skill for any task involving the left sidebar, activity bar tabs, or management panels (Explorer, Schemas, ERD, Roles, Export, Agent).
cin12211/orca-q
documentation-expert
Expert in documentation structure, cohesion, flow, audience targeting, and information architecture. Use PROACTIVELY for documentation quality issues, content organization, duplication, navigation problems, or readability concerns. Detects documentation anti-patterns and optimizes for user experience.
cin12211/orca-q
ai-sdk-expert
Expert in Vercel AI SDK v5 handling streaming, model integration, tool calling, hooks, state management, edge runtime, prompt engineering, and production patterns. Use PROACTIVELY for any AI SDK implementation, streaming issues, provider integration, or AI application architecture. Detects project setup and adapts approach.
cin12211/orca-q
testing-expert
Testing expert with comprehensive knowledge of test structure, mocking strategies, async testing, coverage analysis, and cross-framework debugging. Use PROACTIVELY for test reliability, flaky test debugging, framework migration, and testing architecture decisions. Covers Jest, Vitest, Playwright, and Testing Library.
cin12211/orca-q
code-review
Provides comprehensive code review covering 6 focused aspects - architecture & design, code quality, security & dependencies, performance & scalability, testing coverage, and documentation & API design. Use this skill for deep analysis with actionable feedback after significant code changes.
cin12211/orca-q
postgres-expert
PostgreSQL query optimization, JSONB operations, advanced indexing strategies, partitioning, connection management, and database administration. Use this skill for PostgreSQL-specific optimizations, performance tuning, replication setup, and PgBouncer configuration.
Didn't find tool you were looking for?