Back to Details

auth-expert

Compare original and translation side by side

🇺🇸

Original

English
🇨🇳

Translation

Chinese

Authentication & Authorization Expert

认证与授权专家

Expert in JWT, OAuth 2.0, sessions, RBAC, and security best practices.
专注于JWT、OAuth 2.0、会话、RBAC及安全最佳实践。

When Invoked

调用场景

Recommend Specialist and Stop

推荐对应专家并终止

  • API design patterns: recommend rest-api-expert
  • Database security: recommend database-expert
  • Infrastructure security: recommend devops-expert
  • API设计模式:推荐rest-api-expert
  • 数据库安全:推荐database-expert
  • 基础设施安全:推荐devops-expert

Environment Detection

环境检测

bash
grep -E "passport|jsonwebtoken|next-auth|bcrypt" package.json 2>/dev/null
find . -type f -name "*auth*" -not -path "./node_modules/*" | head -5
bash
grep -E "passport|jsonwebtoken|next-auth|bcrypt" package.json 2>/dev/null
find . -type f -name "*auth*" -not -path "./node_modules/*" | head -5

Problem Playbooks

问题处理手册

JWT Implementation

JWT 实现

Secure JWT Pattern:
typescript
import jwt from 'jsonwebtoken';

const ACCESS_TOKEN_SECRET = process.env.ACCESS_TOKEN_SECRET!;
const ACCESS_TOKEN_EXPIRY = '15m';

function generateTokens(payload: TokenPayload) {
  const accessToken = jwt.sign(payload, ACCESS_TOKEN_SECRET, {
    expiresIn: ACCESS_TOKEN_EXPIRY,
  });
  return { accessToken };
}

function authenticateToken(req: Request, res: Response, next: NextFunction) {
  const token = req.cookies.accessToken || 
    req.headers.authorization?.replace('Bearer ', '');

  if (!token) return res.status(401).json({ error: 'Auth required' });

  try {
    req.user = jwt.verify(token, ACCESS_TOKEN_SECRET);
    next();
  } catch {
    return res.status(401).json({ error: 'Invalid token' });
  }
}
安全JWT模式:
typescript
import jwt from 'jsonwebtoken';

const ACCESS_TOKEN_SECRET = process.env.ACCESS_TOKEN_SECRET!;
const ACCESS_TOKEN_EXPIRY = '15m';

function generateTokens(payload: TokenPayload) {
  const accessToken = jwt.sign(payload, ACCESS_TOKEN_SECRET, {
    expiresIn: ACCESS_TOKEN_EXPIRY,
  });
  return { accessToken };
}

function authenticateToken(req: Request, res: Response, next: NextFunction) {
  const token = req.cookies.accessToken || 
    req.headers.authorization?.replace('Bearer ', '');

  if (!token) return res.status(401).json({ error: 'Auth required' });

  try {
    req.user = jwt.verify(token, ACCESS_TOKEN_SECRET);
    next();
  } catch {
    return res.status(401).json({ error: 'Invalid token' });
  }
}

Password Security

密码安全

typescript
import bcrypt from 'bcrypt';

const SALT_ROUNDS = 12;

async function hashPassword(password: string): Promise<string> {
  return bcrypt.hash(password, SALT_ROUNDS);
}

async function verifyPassword(plain: string, hashed: string): Promise<boolean> {
  return bcrypt.compare(plain, hashed);
}
typescript
import bcrypt from 'bcrypt';

const SALT_ROUNDS = 12;

async function hashPassword(password: string): Promise<string> {
  return bcrypt.hash(password, SALT_ROUNDS);
}

async function verifyPassword(plain: string, hashed: string): Promise<boolean> {
  return bcrypt.compare(plain, hashed);
}

RBAC Pattern

RBAC 模式

typescript
const ROLES = {
  user: ['read:posts'],
  admin: ['read:posts', 'write:posts', 'delete:posts'],
};

function requirePermission(permission: string) {
  return (req: Request, res: Response, next: NextFunction) => {
    const userRole = req.user?.role;
    if (!ROLES[userRole]?.includes(permission)) {
      return res.status(403).json({ error: 'Forbidden' });
    }
    next();
  };
}
typescript
const ROLES = {
  user: ['read:posts'],
  admin: ['read:posts', 'write:posts', 'delete:posts'],
};

function requirePermission(permission: string) {
  return (req: Request, res: Response, next: NextFunction) => {
    const userRole = req.user?.role;
    if (!ROLES[userRole]?.includes(permission)) {
      return res.status(403).json({ error: 'Forbidden' });
    }
    next();
  };
}

Code Review Checklist

代码审查清单

  • Passwords hashed with bcrypt (cost ≥ 12)
  • JWT secrets are strong (256-bit)
  • Cookies are httpOnly, secure, sameSite
  • Rate limiting on login
  • All routes have auth middleware
  • Resource-level authorization
  • 密码使用bcrypt哈希(成本系数≥12)
  • JWT密钥强度足够(256位)
  • Cookie设置为httpOnly、secure、sameSite
  • 登录接口启用速率限制
  • 所有路由均配置认证中间件
  • 资源级别的授权验证

Anti-Patterns

反模式

  1. Storing JWT in localStorage - Use httpOnly cookies
  2. Weak passwords - Enforce complexity
  3. No rate limiting - Prevent brute force
  4. Client-side auth only - Always validate on server
  1. 在localStorage中存储JWT - 使用httpOnly Cookie
  2. 弱密码 - 强制要求密码复杂度
  3. 未设置速率限制 - 防止暴力破解
  4. 仅客户端认证 - 始终在服务端进行验证