When to use
- Implementing user login and registration
- Building password reset flows
- Setting up session management or JWT authentication
- Integrating OAuth providers (Google, etc.)
What's included
Session-based auth
Complete Express.js implementation with Redis storage, regeneration on login, and proper cookie settings.
JWT with refresh tokens
Short-lived access tokens, httpOnly refresh cookies, token revocation, and frontend handling patterns.
Password reset flow
Secure token generation, hashed storage, expiration, and email enumeration prevention.
OAuth integration
Server-side Google OAuth with CSRF state parameter, token exchange, and user creation.
Multi-factor auth (TOTP)
QR code generation, secret storage, verification with time window tolerance.
Rate limiting
Per-IP login attempt tracking with cooldown windows and timing attack prevention.
Sessions vs JWTs
| Use sessions when | Use JWTs when |
|---|---|
| Server-rendered application | Multiple services need to verify auth |
| Need immediate logout/revocation | Stateless architecture required |
| Single domain | Mobile app + API |
| Simpler to implement correctly | Third-party integrations |
Common mistake: Using JWTs because a tutorial did, then storing them in localStorage (XSS vulnerable) and having no revocation strategy.
Security checklist
Password storage
- Using bcrypt/scrypt/Argon2 with cost factor 12+
- Never storing plain text passwords
- Never logging passwords
Session management
- Sessions stored server-side (not just in cookies)
- Session IDs are cryptographically random
- Sessions regenerated on login (prevent fixation)
- Sessions invalidated on logout
JWT security
- Short access token lifetime (15 min or less)
- Refresh tokens stored as httpOnly cookies
- Token revocation mechanism exists
- Secrets are at least 256 bits
Information disclosure
- Same error messages for valid/invalid users
- Timing attacks mitigated
- No user enumeration via registration/reset
Installation
# Clone the repository
git clone https://github.com/jamditis/claude-skills-journalism.git
# Copy the skill to your Claude config
cp -r claude-skills-journalism/secure-auth ~/.claude/skills/
Or download just this skill from the GitHub repository.
Related skills
Authentication that doesn't embarrass you
Sessions, JWTs, password reset, OAuth, and MFA - all production-ready.
View on GitHub