--- title: Auth Implementation Patterns category: product entity_type: skill price: $15 canonical: https://forgehouse.ai/skills/auth-implementation-patterns/ lang: en hreflang_alt: https://forgehouse.ai/tr/skiller/auth-implementation-patterns/ last_updated: 2026-06-20 --- # Auth Implementation Patterns > Master authentication and authorization patterns including JWT, OAuth2, session management… A complete reference of battle-tested authentication and authorization patterns: JWT with refresh tokens, Redis-backed sessions, OAuth2 social login and layered RBAC. It applies least-privilege, defense-in-depth and zero-trust thinking so you ship secure, scalable access control instead of homegrown auth with hidden holes. ## Use cases - Implementing a new user authentication system from scratch - Securing REST or GraphQL APIs with token verification - Adding Google or GitHub social login via OAuth2 - Building role-based and permission-based access control - Designing session management with secure cookies - Debugging or hardening an existing auth flow ## Benefits - Ship access control that holds up because every layer verifies independently - Stop brute-force and credential-stuffing attacks with rate limiting and MFA-ready flows - Avoid the classic mistakes: JWT in localStorage, no expiry, client-side-only checks - Keep tokens and secrets protected so one leak doesn't collapse your whole auth stack ## What’s included - JWT generation, verification and a full refresh-token rotation service - Redis-backed Express sessions with httpOnly, secure, sameSite cookies - OAuth2 social login via Passport with find-or-create user logic - RBAC role hierarchy, permission-based control and resource-ownership middleware - bcrypt password hashing with strong validation and Redis-backed rate limiting - A best-practices and common-pitfalls checklist grounded in real security models ## Who it’s for Backend engineers building or hardening authentication who want secure, scalable patterns instead of risky DIY auth. ## How it runs Auth systems fail at the edges: stale claims, weak lockouts, tokens that never die. The skill builds edge-first, from strategy choice through to revocation: 1. Picks the authentication strategy first against the actual trade-offs: server side sessions (Redis store, httpOnly cookie), stateless JWT, or OAuth2/social login, instead of defaulting to whatever library is nearby. 2. Implements the token layer with split lifetimes and split secrets: a 15 minute access token and a 7 day refresh token signed with separate secrets, refresh tokens hashed before they ever touch the database. 3. Chains the middleware in order on every protected endpoint: authenticate (verify token, attach user), then requireRole or requirePermission (RBAC with role hierarchy), then requireOwnership where the resource has an owner; failures always fall to 401/403, never to partial access. 4. Hardens the password path: bcrypt with 12 salt rounds, a Zod policy enforcing 12+ characters with mixed classes, and generic error messages so login responses never reveal whether the email or the password was wrong. 5. Adds brute force protection where it matters: a Redis backed rate limiter capping login at 5 attempts per 15 minutes, plus a general API limiter, both before the auth logic runs. 6. Wires the revocation lifecycle: refresh rotation on use, single token revoke on logout, revoke-all for logging out every device, and a fresh DB user fetch for critical operations instead of trusting stale JWT claims. ## FAQ ### Do I need Redis to use these patterns? Only if you choose the server-side session pattern, since Redis backs that one for fast lookups and revocation. The JWT-with-refresh path doesn't require it, and the reference helps you pick between them based on your revocation needs. ### Why implement auth myself instead of using a hosted provider? If a managed provider fits, use it; these patterns are for when you're building or hardening auth yourself and want it done with least-privilege and defense-in-depth instead of improvised. The point is to avoid risky DIY, not to talk you out of buying. ### Is this a library I install? No, it's a reference of proven patterns you implement: JWT refresh flows, session handling, OAuth2 login, layered RBAC. It shows you the secure shape; wiring it into your codebase is yours. ## Price $15, one-time, no subscription. VAT included. Related guide: [AI for application security](https://forgehouse.ai/guides/ai-application-security/)