> nextjs-authentication
Secure token storage (HttpOnly Cookies) and Middleware patterns. Use when implementing authentication, secure session storage, or auth middleware in Next.js. (triggers: middleware.ts, **/auth.ts, **/login/page.tsx, cookie, jwt, session, localstorage, auth)
curl "https://skillshub.wtf/HoangNguyen0403/agent-skills-standard/nextjs-authentication?format=md"Authentication & Token Management
Priority: P0 (CRITICAL)
Use HttpOnly Cookies for token storage. Never use LocalStorage or sessionStorage.
Implementation Guidelines
- Token Storage: Strictly use
HttpOnly,Securecookies withSameSite: 'Lax'or'Strict'. Set reasonablemaxAge(e.g., 86400). Never store access tokens inlocalStorageorsessionStorage(XSS-vulnerable). LocalStorage causes hydration issues in Server Components. - Access Management: Read and verify tokens in Next.js Middleware (
middleware.ts) for edge-side redirection and route protection. - Next.js 15+ Async:
cookies()is a Promise fromnext/headersand must be awaited. - Library Selection: Prefer
next-auth(Auth.js) orClerkfor social logins and session management. - Data Access: Always use a DAL (Data Access Layer) to validate credentials and verify cookie presence before rendering.
- CSRF Protection: Guard all Server Actions and Route Handlers by verifying the Origin/Referer headers.
- User Verification: Use
await auth()(Auth.js) or a customgetSession()helper in Server Components.
Example: Auth Middleware
Example: HttpOnly Cookie Setup
Anti-Patterns
- No localStorage for tokens: XSS-vulnerable and causes hydration issues.
- No raw tokens in Client Components: Pass session state, not tokens.
- No unprotected Server Actions: Always verify Origin/Referer headers.
References
> related_skills --same-repo
> common-store-changelog
Generate user-facing release notes for the Apple App Store and Google Play Store by collecting git history, triaging user-impacting changes, and drafting store-compliant changelogs. Enforces character limits (App Store ≤4000, Google Play ≤500), tone, and bullet format. Use when generating release notes, app store changelog, play store release, what's new, or version release notes for any mobile app. (triggers: generate changelog, app store notes, play store release, what's new, release notes, ve
> golang-tooling
Go developer toolchain — gopls LSP diagnostics, linting, formatting, and vet. Use when setting up Go tooling, running linters, or integrating gopls with Claude Code. (triggers: gopls, golangci-lint, golangci.yml, go vet, goimports, staticcheck, go tooling, go lint)
> common-ui-design
Design distinctive, production-grade frontend UI with bold aesthetic choices. Use when building web components, pages, interfaces, dashboards, or applications in any framework (React, Next.js, Angular, Vue, HTML/CSS). (triggers: build a page, create a component, design a dashboard, landing page, UI for, build a layout, make it look good, improve the design, build UI, create interface, design screen)
> common-owasp
OWASP Top 10 audit checklist for Web Applications (2021) and APIs (2023). Load during any security review, PR review, or codebase audit touching web, mobile backend, or API code. (triggers: security review, OWASP, broken access control, IDOR, BOLA, injection, broken auth, API review, authorization, access control)