OpenSkillIndex← back to search
claude-code

Agent-skills-standard nextjs-authentication

Secure token storage (HttpOnly Cookies) and Middleware patterns. Use when implementing authentication, secure session storage, or auth middleware in Next.js. (triggers: middleware.ts, **/auth.ts, **/login/page.tsx, cookie, jwt, session, localstorage, auth)

install
source · Clone the upstream repo
git clone https://github.com/HoangNguyen0403/agent-skills-standard
Claude Code · Install into ~/.claude/skills/
T=$(mktemp -d) && git clone --depth=1 https://github.com/HoangNguyen0403/agent-skills-standard "$T" && mkdir -p ~/.claude/skills && cp -r "$T/skills/nextjs/nextjs-authentication" ~/.claude/skills/hoangnguyen0403-agent-skills-standard-nextjs-authentication && rm -rf "$T"
manifest: skills/nextjs/nextjs-authentication/SKILL.md
source content

Authentication & Token Management

Priority: P0 (CRITICAL)

Use HttpOnly Cookies for token storage. Never use LocalStorage or sessionStorage.

Implementation Guidelines

  • Token Storage: Strictly use 
    HttpOnly
    , 
    Secure
    cookies with 
    SameSite: 'Lax'
    or 
    'Strict'
    . Set reasonable 
    maxAge
    (e.g., 86400). Never store access tokens in 
    localStorage
    or 
    sessionStorage
    (XSS-vulnerable). LocalStorage causes hydration issues in Server Components.
  • Access Management: Read and verify tokens in Next.js Middleware (
    middleware.ts
    ) for edge-side redirection and route protection.
  • Next.js 15+ Async: 
    cookies()
    Promise from 
    next/headers
    and must awaited.
  • Library Selection: Prefer 
    next-auth
    (Auth.js) or 
    Clerk
    for social logins and session management.
  • Data Access: Always use DAL (Data Access Layer) to validate credentials and verify cookie presence before rendering.
  • CSRF Protection: Guard all Server Actions and Route Handlers by verifying Origin/Referer headers.
  • User Verification: Use 
    await auth()
    (Auth.js) or custom 
    getSession()
    helper in Server Components.

Example: Auth Middleware

See implementation examples

Example: HttpOnly Cookie Setup

See implementation examples

Anti-Patterns

  • No localStorage for tokens: XSS-vulnerable and causes hydration issues.
  • No raw tokens in Client Components: Pass session state, not tokens.
  • No unprotected Server Actions: Always verify Origin/Referer headers.

References