Agent-Skills.md

Agent Skills: Authentication & Token Management

Secure token storage (HttpOnly Cookies) and Middleware patterns. Use when implementing authentication, secure session storage, or auth middleware in Next.js. (triggers: middleware.ts, **/auth.ts, **/login/page.tsx, cookie, jwt, session, localstorage, auth)

UncategorizedID: hoangnguyen0403/agent-skills-standard/nextjs-authentication

Repository

hoangnguyen0403/agent-skills-standard
HoangNguyen0403License: Apache-2.0
362103

Install this agent skill to your local

pnpm dlx add-skill https://github.com/HoangNguyen0403/agent-skills-standard/tree/HEAD/skills/nextjs/nextjs-authentication

Skill Files

Browse the full folder contents for nextjs-authentication.

Download Skill

Loading file tree…

skills/nextjs/nextjs-authentication/SKILL.md

Skill Metadata

Name
nextjs-authentication
Description
"Secure token storage (HttpOnly Cookies) and Middleware patterns. Use when implementing authentication, secure session storage, or auth middleware in Next.js. (triggers: middleware.ts, **/auth.ts, **/login/page.tsx, cookie, jwt, session, localstorage, auth)"

Authentication & Token Management

Priority: P0 (CRITICAL)

Use HttpOnly Cookies for token storage. Never use LocalStorage or sessionStorage.

Implementation Guidelines

  • Token Storage: Strictly use HttpOnly, Secure cookies with SameSite: 'Lax' or 'Strict'. Set reasonable maxAge (e.g., 86400). Never store access tokens in localStorage or sessionStorage (XSS-vulnerable). LocalStorage causes hydration issues in Server Components.
  • Access Management: Read and verify tokens in Next.js Middleware (middleware.ts) for edge-side redirection and route protection.
  • Next.js 15+ Async: cookies() is a Promise from next/headers and must be awaited.
  • Library Selection: Prefer next-auth (Auth.js) or Clerk for social logins and session management.
  • Data Access: Always use a DAL (Data Access Layer) to validate credentials and verify cookie presence before rendering.
  • CSRF Protection: Guard all Server Actions and Route Handlers by verifying the Origin/Referer headers.
  • User Verification: Use await auth() (Auth.js) or a custom getSession() helper in Server Components.

Example: Auth Middleware

See implementation examples

Example: HttpOnly Cookie Setup

See implementation examples

Anti-Patterns

  • No localStorage for tokens: XSS-vulnerable and causes hydration issues.
  • No raw tokens in Client Components: Pass session state, not tokens.
  • No unprotected Server Actions: Always verify Origin/Referer headers.

References