ReddRadar
Agent skill
auth-module-builder
Implements secure authentication patterns including login/registration, session management, JWT tokens, password hashing, cookie settings, and CSRF protection. Provides auth routes, middleware, security configurations, and threat model documentation. Use when building "authentication", "login system", "JWT auth", or "session management".
Install this agent skill to your Project
npx add-skill https://github.com/patricio0312rev/skills/tree/main/backend/auth-module-builder
SKILL.md
Auth Module Builder
Implement secure, production-ready authentication systems.
Core Components
Routes: POST /login, /register, /logout, /refresh, /forgot-password Middleware: authenticate, requireAuth, optionalAuth Security: bcrypt hashing, JWT signing, secure cookies, CSRF tokens Session: Redis/DB storage, expiration, refresh tokens Threats: Document common attacks and mitigations
JWT Pattern
// Generate tokens
const accessToken = jwt.sign(
{ userId: user.id, email: user.email },
process.env.JWT_SECRET,
{ expiresIn: "15m" }
);
const refreshToken = jwt.sign(
{ userId: user.id, type: "refresh" },
process.env.JWT_REFRESH_SECRET,
{ expiresIn: "7d" }
);
// Verify middleware
export const authenticate = async (req, res, next) => {
const token = req.headers.authorization?.split(" ")[1];
if (!token) return res.status(401).json({ error: "No token" });
try {
const decoded = jwt.verify(token, process.env.JWT_SECRET);
req.user = await User.findById(decoded.userId);
next();
} catch (err) {
res.status(401).json({ error: "Invalid token" });
}
};
Session Pattern
// Express session with Redis
app.use(
session({
store: new RedisStore({ client: redisClient }),
secret: process.env.SESSION_SECRET,
resave: false,
saveUninitialized: false,
cookie: {
secure: process.env.NODE_ENV === "production",
httpOnly: true,
maxAge: 1000 * 60 * 60 * 24 * 7, // 7 days
sameSite: "lax",
},
})
);
Password Security
import bcrypt from "bcrypt";
// Hash password
const hashedPassword = await bcrypt.hash(password, 10);
// Verify password
const isValid = await bcrypt.compare(password, user.hashedPassword);
Security Checklist
- Passwords hashed with bcrypt (cost ≥10)
- JWT secrets from environment, rotated regularly
- HTTPS only in production
- httpOnly, secure cookies
- CSRF protection enabled
- Rate limiting on auth routes
- Account lockout after failed attempts
- Password reset tokens expire
- Email verification for new accounts
Threat Model
Brute Force: Rate limit + account lockout Token Theft: Short expiry, httpOnly cookies, HTTPS only CSRF: SameSite cookies + CSRF tokens Session Fixation: Regenerate session ID on login XSS: Sanitize inputs, CSP headers
Recommended Agent Skills
Expand your agent's capabilities with these related and highly-rated skills.
patricio0312rev/skills
rate-limiting-abuse-protection
Implements rate limiting and abuse prevention with per-route policies, IP/user-based limits, sliding windows, safe error responses, and observability. Use when adding "rate limiting", "API protection", "abuse prevention", or "DDoS protection".
patricio0312rev/skills
rbac-permissions-builder
Implements role-based access control with permission matrix, route guards, policy functions, and UI permission hints. Provides middleware/guards, helper utilities, test suggestions, and permission checking patterns. Use when building "RBAC", "permissions", "access control", or "authorization".
patricio0312rev/skills
websocket-realtime-builder
Implements real-time features using WebSockets with Socket.io, rooms, authentication, and reconnection handling. Use when users request "real-time updates", "WebSocket", "Socket.io", "live chat", or "push notifications".
patricio0312rev/skills
webhook-receiver-hardener
Secures webhook receivers with signature verification, retry handling, deduplication, idempotency keys, and error responses. Provides verification code, dedupe storage strategy, runbook for incidents. Use when implementing "webhooks", "webhook security", "event receivers", or "third-party integrations".
patricio0312rev/skills
rest-to-graphql-migrator
Migrates REST APIs to GraphQL incrementally with schema stitching, REST datasources, and gradual endpoint migration. Use when users request "migrate to GraphQL", "REST to GraphQL", "GraphQL wrapper", or "API modernization".
patricio0312rev/skills
queue-job-processor
Implements background job processing with BullMQ/Redis including job queues, workers, scheduling, retries, and monitoring. Use when users request "background jobs", "queue processing", "async tasks", "BullMQ", or "job scheduler".
Didn't find tool you were looking for?