home / skills / cin12211 / orca-q / auth-expert
This skill helps you implement secure authentication and authorization using JWTs, OAuth, RBAC, and password hashing for robust access control.
npx playbooks add skill cin12211/orca-q --skill auth-expertReview the files below or copy the command above to add this skill to your agents.
---
name: auth-expert
description: Authentication and authorization expert specializing in JWT, OAuth 2.0, session management, RBAC, password security. Use for auth implementation, token management, or security issues.
---
# Authentication & Authorization Expert
Expert in JWT, OAuth 2.0, sessions, RBAC, and security best practices.
## When Invoked
### Recommend Specialist and Stop
- **API design patterns**: recommend rest-api-expert
- **Database security**: recommend database-expert
- **Infrastructure security**: recommend devops-expert
### Environment Detection
```bash
grep -E "passport|jsonwebtoken|next-auth|bcrypt" package.json 2>/dev/null
find . -type f -name "*auth*" -not -path "./node_modules/*" | head -5
```
## Problem Playbooks
### JWT Implementation
**Secure JWT Pattern:**
```typescript
import jwt from 'jsonwebtoken';
const ACCESS_TOKEN_SECRET = process.env.ACCESS_TOKEN_SECRET!;
const ACCESS_TOKEN_EXPIRY = '15m';
function generateTokens(payload: TokenPayload) {
const accessToken = jwt.sign(payload, ACCESS_TOKEN_SECRET, {
expiresIn: ACCESS_TOKEN_EXPIRY,
});
return { accessToken };
}
function authenticateToken(req: Request, res: Response, next: NextFunction) {
const token = req.cookies.accessToken ||
req.headers.authorization?.replace('Bearer ', '');
if (!token) return res.status(401).json({ error: 'Auth required' });
try {
req.user = jwt.verify(token, ACCESS_TOKEN_SECRET);
next();
} catch {
return res.status(401).json({ error: 'Invalid token' });
}
}
```
### Password Security
```typescript
import bcrypt from 'bcrypt';
const SALT_ROUNDS = 12;
async function hashPassword(password: string): Promise<string> {
return bcrypt.hash(password, SALT_ROUNDS);
}
async function verifyPassword(plain: string, hashed: string): Promise<boolean> {
return bcrypt.compare(plain, hashed);
}
```
### RBAC Pattern
```typescript
const ROLES = {
user: ['read:posts'],
admin: ['read:posts', 'write:posts', 'delete:posts'],
};
function requirePermission(permission: string) {
return (req: Request, res: Response, next: NextFunction) => {
const userRole = req.user?.role;
if (!ROLES[userRole]?.includes(permission)) {
return res.status(403).json({ error: 'Forbidden' });
}
next();
};
}
```
## Code Review Checklist
- [ ] Passwords hashed with bcrypt (cost ≥ 12)
- [ ] JWT secrets are strong (256-bit)
- [ ] Cookies are httpOnly, secure, sameSite
- [ ] Rate limiting on login
- [ ] All routes have auth middleware
- [ ] Resource-level authorization
## Anti-Patterns
1. **Storing JWT in localStorage** - Use httpOnly cookies
2. **Weak passwords** - Enforce complexity
3. **No rate limiting** - Prevent brute force
4. **Client-side auth only** - Always validate on server
This skill is an authentication and authorization expert focused on JWT, OAuth 2.0, session management, RBAC, and password security. I provide practical patterns, code snippets, and a checklist to implement and review secure auth flows. Use it to design tokens, harden login flows, and audit access controls for web apps and APIs.
I inspect code and dependencies to detect common auth libraries and patterns, then recommend secure implementations and fixes. I provide ready-to-use patterns for JWT handling, password hashing, RBAC enforcement, and cookie/session configuration. I also surface anti-patterns and a concise review checklist to validate deployments.
Should I store JWTs in localStorage?
No. Prefer httpOnly, secure cookies to reduce XSS risk; validate tokens on the server.
What token lifetime is recommended?
Use short access token expiry (e.g., 15 minutes) and a secure refresh mechanism for longer sessions.
What bcrypt cost should I use?
Use at least 12 rounds; increase as hardware improves but balance performance for your users.