Security skill

Secure auth

Production-ready authentication patterns aligned with NIST SP 800-63B-4, OWASP 2026 cheat sheets, OAuth 2.1, and WebAuthn L3 — with breach-driven lessons.

When to use

What's included

Session-based auth

Complete Express.js implementation with Redis storage, regeneration on login, and proper cookie settings.

JWT with refresh tokens

Short-lived access tokens, httpOnly refresh cookies, token revocation, and frontend handling patterns.

Password reset flow

Secure token generation, hashed storage, expiration, and email enumeration prevention.

OAuth integration

Server-side Google OAuth with CSRF state parameter, token exchange, and user creation.

Multi-factor auth (TOTP)

QR code generation, secret storage, verification with time window tolerance.

Rate limiting

Per-IP login attempt tracking with cooldown windows and timing attack prevention.

Sessions vs JWTs

Use sessions when Use JWTs when
Server-rendered application Multiple services need to verify auth
Need immediate logout/revocation Stateless architecture required
Single domain Mobile app + API
Simpler to implement correctly Third-party integrations

Common mistake: Using JWTs because a tutorial did, then storing them in localStorage (XSS vulnerable) and having no revocation strategy.

Security checklist

Password storage

  • Using bcrypt/scrypt/Argon2 with cost factor 12+
  • Never storing plain text passwords
  • Never logging passwords

Session management

  • Sessions stored server-side (not just in cookies)
  • Session IDs are cryptographically random
  • Sessions regenerated on login (prevent fixation)
  • Sessions invalidated on logout

JWT security

  • Short access token lifetime (15 min or less)
  • Refresh tokens stored as httpOnly cookies
  • Token revocation mechanism exists
  • Secrets are at least 256 bits

Information disclosure

  • Same error messages for valid/invalid users
  • Timing attacks mitigated
  • No user enumeration via registration/reset

Installation

# Recommended: install the security-toolkit plugin

/plugin marketplace add jamditis/claude-skills-journalism

/plugin install security-toolkit@claude-skills-journalism

# Or copy just this skill from the plugin tree

git clone https://github.com/jamditis/claude-skills-journalism.git

cp -r claude-skills-journalism/security-toolkit/skills/secure-auth ~/.claude/skills/

Or browse this skill in the GitHub repository.

Related skills

Security checklist API hardening

Authentication that doesn't embarrass you

Sessions, JWTs, password reset, OAuth, and MFA - all production-ready.

View on GitHub