secure-auth
Implement authentication securely — authentication vs authorization, password hashing (argon2id/bcrypt), sessions vs JWT (storage, expiry, refresh, revocation), MFA, OAuth2/OIDC flows, and defenses against credential stuffing, session fixation, and CSRF. Worked examples + a runnable password-policy check.
Free & open source (Apache-2.0) — view the source on GitHub.
Overview
Authentication is the front door to your system, and it is the single control attackers probe hardest. The goal of this skill is not to teach you to invent a clever scheme — it is to help you assemble well-understood primitives correctly, because almost every real-world breach in this area comes from a broken assembly of good parts, not from cracked cryptography. Heavy detail lives in references/;
What it covers
- Password storage: slow hash, never plaintext
- Sessions vs JWT: how you remember a logged-in user
- MFA and step-up
- OAuth2 / OIDC: delegated auth done right
- Account recovery
- Common Auth Attacks and Defenses
- OAuth2 / OIDC — Flows and Validation
- Password Hashing — argon2id, bcrypt, and tuning