返回 Skill 列表
extension
分类: 开发与工程无需 API Key

auth-system-design

使用严格类型化的Python示例进行身份验证系统设计与实现指导。使用场景:(1) 设计身份验证流程(注册、登录、登出、刷新),(2) 在基于会话的身份验证和基于令牌的身份验证之间选择,(3) 设计JWT结构和声明,(4) 实现OAuth 2.0流程,(5) 设置多服务认证模式,(6) 创建密码重置和电子邮件验证流程,(7) 实现基于角色的访问控制(RBAC),(8) 为认证系统创建安全检查表,(9) 规划前端/后端认证集成。所有示例均遵循Python类型标注标准及安全最佳实践。

person作者: jakexiaohubgithub

Authentication System Design

Design secure and scalable authentication systems following industry best practices and security standards.

Quick Reference

Authentication Method Selection

  • Session-based: Traditional web apps, server-side control
  • JWT Token: SPA/mobile/microservices, stateless
  • OAuth 2.0: Third-party integration, standard protocols
  • OpenID Connect: Identity + authentication

JWT Claims Structure

  • Standard: iss, sub, aud, exp, nbf, iat, jti
  • Custom: userId, roles, permissions

Decision Workflow

1. Choose Authentication Method

| Method | Best For | Key Considerations | |--------|----------|-------------------| | Session-based | Traditional web apps | Server state required | | JWT Token | SPA, mobile, microservices | Token revocation challenges | | OAuth 2.0 | Third-party integration | Complex setup | | OpenID Connect | Identity verification | More complex than OAuth |

2. Design Authentication Flows

  • Sign Up: Validate → Create → Verify → Login
  • Login: Validate → Generate tokens → Redirect
  • Logout: Invalidate → Clear → Redirect
  • Refresh: Check expiry → Use refresh token → Retry

3. JWT Structure & OAuth Selection

  • Use RS256 algorithm, short expiry (15-60 min)
  • Authorization Code flow for web apps, PKCE for public clients

4. Security Validation

  • Password hashing (bcrypt/Argon2)
  • Rate limiting, HTTPS, token expiration
  • Input validation, secure headers

Essential Patterns

Secure Password Handling

import bcrypt
def hash_password(password: str) -> str:
    salt = bcrypt.gensalt(rounds=12)
    return bcrypt.hashpw(password.encode(), salt).decode()

def verify_password(plain: str, hashed: str) -> bool:
    return bcrypt.checkpw(plain.encode(), hashed.encode())

JWT Token Operations

import jwt
from datetime import datetime, timedelta

def create_token(user_id: str, roles: list) -> str:
    payload = {
        "user_id": user_id,
        "roles": roles,
        "exp": (datetime.utcnow() + timedelta(minutes=15)).timestamp(),
        "iss": "https://your-app.com"
    }
    return jwt.encode(payload, key="secret", algorithm="RS256")

Resources

| File | Purpose | |------|---------| | auth-methods.md | Authentication method comparison | | auth-flows.md | Flow diagrams and implementation | | jwt-structure.md | JWT guidelines and examples | | oauth-flows.md | OAuth 2.0 patterns | | multi-service-auth.md | Multi-service strategies | | password-reset.md | Secure reset implementation | | rbac-system.md | Role-based access control | | security-checklist.md | Security validation | | integration-guide.md | Frontend/backend integration | | jwt-template.yaml | JWT schema template |