auth-patternslisted

Design authentication and authorization systems — JWT lifecycle, OAuth 2.0 / OIDC flows, token storage, refresh strategy, RBAC and ABAC permission models. Use when asked about "login flow", "JWT", "OAuth", "refresh token", "access control", "permissions", "RBAC", "who can see what", or "auth is broken". Do NOT use for: session-based auth vs token trade-off analysis (that's an architecture decision) or security penetration testing (use `red-team-check`).
phamlongh230-lgtm/yamtam-engine · ★ 3 · AI & Automation · score 65

Install: claude install-skill phamlongh230-lgtm/yamtam-engine

## When to Use - Use when: designing login / registration flow for a new service - Use when: JWT tokens are leaking, expired unexpectedly, or over-broad - Use when: designing a permissions model (who can do what) - Use when: adding OAuth / "Login with Google/GitHub" to an app - Do NOT use for: cryptographic implementation details — use a library --- ## JWT Lifecycle ### Structure ``` header.payload.signature ``` Payload contains claims — never put sensitive data (passwords, PII) in JWT payload. It is base64-encoded, not encrypted — anyone can decode it. ### Access token + refresh token pattern ``` Access token: short-lived (15 min – 1 hour) stored in memory (JS variable) — NOT localStorage sent as: Authorization: Bearer <token> Refresh token: long-lived (7–30 days) stored in httpOnly, Secure, SameSite=Strict cookie used only to get a new access token rotated on every use (rotation invalidates old token) ``` ### Token storage rules | Storage | XSS risk | CSRF risk | Use for | |---|---|---|---| | Memory (JS var) | Low | None | Access token (lost on refresh) | | httpOnly cookie | None (JS can't read) | Yes (mitigate with SameSite) | Refresh token | | localStorage | High (XSS steals it) | None | **Never for tokens** | | sessionStorage | High | None | **Never for tokens** | ### Revocation JWTs are stateless — can't be revoked until expiry without a denylist. For immediate revocation (logout, compro