Auth Patterns — Authentication & Authorization
SECURITY-CRITICAL SKILL — Auth is the front door. Get it wrong and nothing else matters.
Authentication Methods
| Method | How It Works | Best For |
|---|
| JWT | Signed token sent with each request | SPAs, microservices, mobile APIs |
| Session-based | Server stores session, client holds cookie | Traditional web apps, SSR |
| OAuth 2.0 | Delegated auth via authorization server | "Login with Google/GitHub", API access |
| API Keys | Static key sent in header | Internal services, public APIs |
| Magic Links | One-time login link via email | Low-friction onboarding, B2C |
| Passkeys/WebAuthn | Hardware/biometric challenge-response | High-security apps, passwordless |
Installation
OpenClaw / Moltbot / Clawbot
npx clawhub@latest install auth-patterns
JWT Patterns
Dual-Token Strategy
Short-lived access token + long-lived refresh token:
Client → POST /auth/login → Server
Client ← { access_token, refresh_token }
Client → GET /api/data (Authorization: Bearer <access>) → Server
Client ← 401 Expired
Client → POST /auth/refresh { refresh_token } → Server
Client ← { new_access_token, rotated_refresh_token }
Token Structure
{
"header": { "alg": "RS256", "typ": "JWT", "kid": "key-2024-01" },
"payload": {
"sub": "user_abc123",
"iss": "https://auth.example.com",
"aud": "https://api.example.com",
"exp": 1700000900,
"iat": 1700000000,
"jti": "unique-token-id",
"roles": ["user"],
"scope": "read:profile write:profile"
}
}
Signing Algorithms
| Algorithm | Type | When to Use |
|---|
| RS256 | Asymmetric (RSA) | Microservices — only auth server holds private key |
| ES256 | Asymmetric (ECDSA) | Same as RS256, smaller keys and signatures |
| HS256 | Symmetric | Single-server apps — all verifiers share secret |
Prefer RS256/ES256 in distributed systems.
Token Storage
| Storage | XSS Safe | CSRF Safe | Recommendation |
|---|
| httpOnly cookie | Yes | No (add CSRF token) | Best for web apps |
| localStorage | No | Yes | Avoid — XSS exposes tokens |
| In-memory | Yes | Yes | Good for SPAs, lost on refresh |
Set-Cookie: access_token=eyJ...; HttpOnly; Secure; SameSite=Strict; Path=/; Max-Age=900
Expiration Strategy
| Token | Lifetime | Rotation |
|---|
| Access token | 5–15 minutes | Issued on refresh |
| Refresh token | 7–30 days | Rotate on every use |
| ID token | Match access token | Not refreshed |
OAuth 2.0 Flows
| Flow | Client Type | When to Use |
|---|
| Authorization Code + PKCE | Public (SPA, mobile) | Default for all public clients |
| Authorization Code | Confidential (server) | Server-rendered web apps with backend |
| Client Credentials | Machine-to-machine | Service-to-service, cron jobs |
| Device Code | Input-constrained | Smart TVs, IoT, CLI on headless servers |
Implicit flow is deprecated. Always use Authorization Code + PKCE for public clients.
PKCE Flow
1. Client generates code_verifier (random 43-128 chars)
2. Client computes code_challenge = BASE64URL(SHA256(code_verifier))
3. Redirect to /authorize?code_challenge=...&code_challenge_method=S256
4. User authenticates, server redirects back with authorization code
5. Client exchanges code + code_verifier for tokens at /token
6. Server verifies SHA256(code_verifier) == code_challenge
Session Management
Server-Side Sessions
Client Cookie: session_id=a1b2c3d4 (opaque, random, no user data)
Server Store: { "a1b2c3d4": { userId: 123, roles: ["admin"], expiresAt: ... } }
| Store | Speed | When to Use |
|---|
| Redis | Fast | Production default — TTL support, horizontal scaling |
| PostgreSQL | Moderate | When Redis is overkill, need audit trail |
| In-memory | Fastest | Development only |
Session Security
| Threat | Prevention |
|---|
| Session fixation | Regenerate session ID after login |
| Session hijacking | httpOnly + Secure cookies, bind to IP/user-agent |
| CSRF | SameSite cookies + CSRF tokens |
| Idle timeout | Expire after 15–30 min inactivity |
| Absolute timeout | Force re-auth after 8–24 hours |
Authorization Patterns
| Pattern | Granularity | When to Use |
|---|
| RBAC | Coarse (admin, editor, viewer) | Most apps — simple role hierarchy |
| ABAC | Fine (attributes: dept, time, location) | Enterprise — context-dependent access |
| Permission-based | Medium (post:create, user:delete) | APIs — decouple permissions from roles |
| Policy-based (OPA/Cedar) | Fine | Microservices — externalized, auditable rules |
| ReBAC | Fine (owner, member, shared-with) | Social apps, Google Drive-style sharing |
RBAC Implementation
const ROLE_PERMISSIONS: Record<string, string[]> = {
admin: ["user:read", "user:write", "user:delete", "post:read", "post:write", "post:delete"],
editor: ["user:read", "post:read", "post:write"],
viewer: ["user:read", "post:read"],
};
function requirePermission(permission: string) {
return (req: Request, res: Response, next: NextFunction) => {
const permissions = ROLE_PERMISSIONS[req.user.role] ?? [];
if (!permissions.includes(permission)) {
return res.status(403).json({ error: "Forbidden" });
}
next();
};
}
app.delete("/api/users/:id", requirePermission("user:delete"), deleteUser);
Password Security
| Algorithm | Recommended | Memory-Hard | Notes |
|---|
| Argon2id | First choice | Yes | Resists GPU/ASIC attacks |
| bcrypt | Yes | No | Battle-tested, 72-byte limit |
| scrypt | Yes | Yes | Good alternative |
| PBKDF2 | Acceptable | No | NIST approved, weaker vs GPU |
| SHA-256/MD5 | Never | No | Not password hashing |
NIST 800-63B: Favor length (12+ chars) over complexity rules. Check against breached password lists. Don't force periodic rotation unless breach suspected.
Multi-Factor Authentication
| Factor | Security | Notes |
|---|
| TOTP (Authenticator app) | High | Offline-capable, Google Authenticator / Authy |
| WebAuthn/Passkeys | Highest | Phishing-resistant, hardware-backed |
| SMS OTP | Medium | Vulnerable to SIM swap — avoid for high-security |
| Hardware keys (FIDO2) | Highest | YubiKey — best for admin accounts |
| Backup codes | Low (fallback) | One-time use, generate 10, store hashed |
Security Headers
| Header | Value |
|---|
| Strict-Transport-Security | max-age=63072000; includeSubDomains; preload
|
| Content-Security-Policy | Restrict script sources, no inline scripts |
| X-Content-Type-Options | nosniff
|
| X-Frame-Options | DENY
|
| Referrer-Policy | strict-origin-when-cross-origin
|
| CORS | Whitelist specific origins, never *
with credentials |
Common Vulnerabilities
| # | Vulnerability | Prevention |
|---|
| 1 | Broken authentication | MFA, strong password policy, breach detection |
| 2 | Session fixation | Regenerate session ID on login |
| 3 | JWT alg:none
attack | Reject none
, validate alg
against allowlist |
| 4 | JWT secret brute force | Use RS256/ES256, strong secrets (256+ bits) |
| 5 | CSRF | SameSite cookies, CSRF tokens |
| 6 | Credential stuffing | Rate limiting, breached password check, MFA |
| 7 | Insecure password storage | Argon2id/bcrypt, never encrypt (hash instead) |
| 8 | Insecure password reset | Signed time-limited tokens, invalidate after use |
| 9 | Open redirect | Validate redirect URIs against allowlist |
| 10 | Token leakage in URL | Send tokens in headers or httpOnly cookies only |
| 11 | Privilege escalation | Server-side role checks on every request |
| 12 | OAuth redirect_uri mismatch | Exact match redirect URI validation, no wildcards |
| 13 | Timing attacks | Constant-time comparison for secrets |
NEVER Do
| # | Rule | Why |
|---|
| 1 | NEVER store passwords in plaintext or reversible encryption | One breach exposes every user |
| 2 | NEVER put tokens in URLs or query parameters | Logged by servers, proxies, referrer headers |
| 3 | NEVER use alg: none
or allow algorithm switching in JWTs | Attacker forges tokens |
| 4 | NEVER trust client-side role/permission claims | Users can modify any client-side value |
| 5 | NEVER use MD5, SHA-1, or plain SHA-256 for password hashing | No salt, no work factor — cracked in seconds |
| 6 | NEVER skip HTTPS in production | Tokens and credentials sent in cleartext |
| 7 | NEVER log tokens, passwords, or secrets | Logs are broadly accessible and retained |
| 8 | NEVER use long-lived tokens without rotation | A single leak grants indefinite access |
| 9 | NEVER implement your own crypto | Use established libraries — jose, bcrypt, passport |
| 10 | NEVER return different errors for "user not found" vs "wrong password" | Enables user enumeration |
