Tencent SkillHub · AI

auth-patterns

Authentication and authorization patterns — JWT, OAuth 2.0, sessions, RBAC/ABAC, password security, MFA, and vulnerability prevention. Use when implementing login flows, protecting routes, managing tokens, or auditing auth security.

skill openclawclawhub Free

0 Downloads

0 Stars

0 Installs

0 Score

High Signal

⬇ 0 downloads ★ 0 stars Unverified but indexed

Install for OpenClaw

Quick setup

Download the package from Yavira.
Extract the archive and review SKILL.md first.
Import or place the package into your OpenClaw setup.

Requirements

Target platform: OpenClaw
Install method: Manual import
Extraction: Extract archive
Prerequisites: OpenClaw
Primary doc: SKILL.md

Package facts

Download mode: Yavira redirect
Package format: ZIP package
Source platform: Tencent SkillHub
What's included: README.md, SKILL.md

Validation

Use the Yavira download entry.
Review SKILL.md after the package is downloaded.
Confirm the extracted package contains the expected setup assets.

Install with your agent

Agent handoff

Hand the extracted package to your coding agent with a concrete install brief instead of figuring it out manually.

Download the package from Yavira.
Extract it into a folder your agent can access.
Paste one of the prompts below and point your agent at the extracted folder.

New install

I downloaded a skill package from Yavira. Read SKILL.md from the extracted folder and install it by following the included instructions. Then review README.md for any prerequisites, environment setup, or post-install checks. Tell me what you changed and call out any manual steps you could not complete.

Upgrade existing

I downloaded an updated skill package from Yavira. Read SKILL.md from the extracted folder, compare it with my current installation, and upgrade it while preserving any custom configuration unless the package docs explicitly say otherwise. Then review README.md for any prerequisites, environment setup, or post-install checks. Summarize what changed and any follow-up checks I should run.

Open Send to Agent page Open JSON manifest Open Markdown brief

Trust & source

Release facts

Source: Tencent SkillHub
Verification: Indexed source record
Version: 1.0.0

Provenance

Publisher: wpank
Source page: View original listing
Canonical URL: Open canonical page

Documentation

ClawHub primary doc Primary doc: SKILL.md 18 sections Open source page

Auth Patterns — Authentication & Authorization

SECURITY-CRITICAL SKILL — Auth is the front door. Get it wrong and nothing else matters.

Authentication Methods

MethodHow It WorksBest ForJWTSigned token sent with each requestSPAs, microservices, mobile APIsSession-basedServer stores session, client holds cookieTraditional web apps, SSROAuth 2.0Delegated auth via authorization server"Login with Google/GitHub", API accessAPI KeysStatic key sent in headerInternal services, public APIsMagic LinksOne-time login link via emailLow-friction onboarding, B2CPasskeys/WebAuthnHardware/biometric challenge-responseHigh-security apps, passwordless

Dual-Token Strategy

Short-lived access token + long-lived refresh token: Client → POST /auth/login → Server Client ← { access_token, refresh_token } Client → GET /api/data (Authorization: Bearer <access>) → Server Client ← 401 Expired Client → POST /auth/refresh { refresh_token } → Server Client ← { new_access_token, rotated_refresh_token }

Token Structure

{ "header": { "alg": "RS256", "typ": "JWT", "kid": "key-2024-01" }, "payload": { "sub": "user_abc123", "iss": "https://auth.example.com", "aud": "https://api.example.com", "exp": 1700000900, "iat": 1700000000, "jti": "unique-token-id", "roles": ["user"], "scope": "read:profile write:profile" } }

Signing Algorithms

AlgorithmTypeWhen to UseRS256Asymmetric (RSA)Microservices — only auth server holds private keyES256Asymmetric (ECDSA)Same as RS256, smaller keys and signaturesHS256SymmetricSingle-server apps — all verifiers share secret Prefer RS256/ES256 in distributed systems.

Token Storage

StorageXSS SafeCSRF SafeRecommendationhttpOnly cookieYesNo (add CSRF token)Best for web appslocalStorageNoYesAvoid — XSS exposes tokensIn-memoryYesYesGood for SPAs, lost on refresh Set-Cookie: access_token=eyJ...; HttpOnly; Secure; SameSite=Strict; Path=/; Max-Age=900

Expiration Strategy

TokenLifetimeRotationAccess token5–15 minutesIssued on refreshRefresh token7–30 daysRotate on every useID tokenMatch access tokenNot refreshed

OAuth 2.0 Flows

FlowClient TypeWhen to UseAuthorization Code + PKCEPublic (SPA, mobile)Default for all public clientsAuthorization CodeConfidential (server)Server-rendered web apps with backendClient CredentialsMachine-to-machineService-to-service, cron jobsDevice CodeInput-constrainedSmart TVs, IoT, CLI on headless servers Implicit flow is deprecated. Always use Authorization Code + PKCE for public clients.

PKCE Flow

1. Client generates code_verifier (random 43-128 chars) 2. Client computes code_challenge = BASE64URL(SHA256(code_verifier)) 3. Redirect to /authorize?code_challenge=...&code_challenge_method=S256 4. User authenticates, server redirects back with authorization code 5. Client exchanges code + code_verifier for tokens at /token 6. Server verifies SHA256(code_verifier) == code_challenge

Server-Side Sessions

Client Cookie: session_id=a1b2c3d4 (opaque, random, no user data) Server Store: { "a1b2c3d4": { userId: 123, roles: ["admin"], expiresAt: ... } } StoreSpeedWhen to UseRedisFastProduction default — TTL support, horizontal scalingPostgreSQLModerateWhen Redis is overkill, need audit trailIn-memoryFastestDevelopment only

Session Security

ThreatPreventionSession fixationRegenerate session ID after loginSession hijackinghttpOnly + Secure cookies, bind to IP/user-agentCSRFSameSite cookies + CSRF tokensIdle timeoutExpire after 15–30 min inactivityAbsolute timeoutForce re-auth after 8–24 hours

Authorization Patterns

PatternGranularityWhen to UseRBACCoarse (admin, editor, viewer)Most apps — simple role hierarchyABACFine (attributes: dept, time, location)Enterprise — context-dependent accessPermission-basedMedium (post:create, user:delete)APIs — decouple permissions from rolesPolicy-based (OPA/Cedar)FineMicroservices — externalized, auditable rulesReBACFine (owner, member, shared-with)Social apps, Google Drive-style sharing

RBAC Implementation

const ROLE_PERMISSIONS: Record<string, string[]> = { admin: ["user:read", "user:write", "user:delete", "post:read", "post:write", "post:delete"], editor: ["user:read", "post:read", "post:write"], viewer: ["user:read", "post:read"], }; function requirePermission(permission: string) { return (req: Request, res: Response, next: NextFunction) => { const permissions = ROLE_PERMISSIONS[req.user.role] ?? []; if (!permissions.includes(permission)) { return res.status(403).json({ error: "Forbidden" }); } next(); }; } app.delete("/api/users/:id", requirePermission("user:delete"), deleteUser);

Password Security

AlgorithmRecommendedMemory-HardNotesArgon2idFirst choiceYesResists GPU/ASIC attacksbcryptYesNoBattle-tested, 72-byte limitscryptYesYesGood alternativePBKDF2AcceptableNoNIST approved, weaker vs GPUSHA-256/MD5NeverNoNot password hashing NIST 800-63B: Favor length (12+ chars) over complexity rules. Check against breached password lists. Don't force periodic rotation unless breach suspected.

Multi-Factor Authentication

FactorSecurityNotesTOTP (Authenticator app)HighOffline-capable, Google Authenticator / AuthyWebAuthn/PasskeysHighestPhishing-resistant, hardware-backedSMS OTPMediumVulnerable to SIM swap — avoid for high-securityHardware keys (FIDO2)HighestYubiKey — best for admin accountsBackup codesLow (fallback)One-time use, generate 10, store hashed

Security Headers

HeaderValueStrict-Transport-Securitymax-age=63072000; includeSubDomains; preloadContent-Security-PolicyRestrict script sources, no inline scriptsX-Content-Type-OptionsnosniffX-Frame-OptionsDENYReferrer-Policystrict-origin-when-cross-originCORSWhitelist specific origins, never * with credentials

Common Vulnerabilities

#VulnerabilityPrevention1Broken authenticationMFA, strong password policy, breach detection2Session fixationRegenerate session ID on login3JWT alg:none attackReject none, validate alg against allowlist4JWT secret brute forceUse RS256/ES256, strong secrets (256+ bits)5CSRFSameSite cookies, CSRF tokens6Credential stuffingRate limiting, breached password check, MFA7Insecure password storageArgon2id/bcrypt, never encrypt (hash instead)8Insecure password resetSigned time-limited tokens, invalidate after use9Open redirectValidate redirect URIs against allowlist10Token leakage in URLSend tokens in headers or httpOnly cookies only11Privilege escalationServer-side role checks on every request12OAuth redirect_uri mismatchExact match redirect URI validation, no wildcards13Timing attacksConstant-time comparison for secrets

NEVER Do

#RuleWhy1NEVER store passwords in plaintext or reversible encryptionOne breach exposes every user2NEVER put tokens in URLs or query parametersLogged by servers, proxies, referrer headers3NEVER use alg: none or allow algorithm switching in JWTsAttacker forges tokens4NEVER trust client-side role/permission claimsUsers can modify any client-side value5NEVER use MD5, SHA-1, or plain SHA-256 for password hashingNo salt, no work factor — cracked in seconds6NEVER skip HTTPS in productionTokens and credentials sent in cleartext7NEVER log tokens, passwords, or secretsLogs are broadly accessible and retained8NEVER use long-lived tokens without rotationA single leak grants indefinite access9NEVER implement your own cryptoUse established libraries — jose, bcrypt, passport10NEVER return different errors for "user not found" vs "wrong password"Enables user enumeration

Category context

Agent frameworks, memory systems, reasoning layers, and model-native orchestration.

Source: Tencent SkillHub

Largest current source with strong distribution and engagement signals.

Package contents

Included in package

2 Docs

SKILL.md Primary doc
README.md Docs