Security Patterns Skill
Purpose
Implement comprehensive security for APIs following OWASP guidelines.
Authentication Patterns
JWT Implementation
import jwt from 'jsonwebtoken';
interface TokenPayload {
sub: string; // User ID
roles: string[];
iat: number;
exp: number;
jti: string; // Token ID for revocation
}
class JWTService {
private readonly secret = process.env.JWT_SECRET!;
private readonly accessTTL = '15m';
private readonly refreshTTL = '7d';
generateTokenPair(user: User) {
const jti = crypto.randomUUID();
const accessToken = jwt.sign(
{ sub: user.id, roles: user.roles, jti },
this.secret,
{ expiresIn: this.accessTTL, issuer: 'api.example.com' }
);
const refreshToken = jwt.sign(
{ sub: user.id, jti, type: 'refresh' },
this.secret,
{ expiresIn: this.refreshTTL }
);
return { accessToken, refreshToken, jti };
}
verify(token: string): TokenPayload {
return jwt.verify(token, this.secret, {
issuer: 'api.example.com',
}) as TokenPayload;
}
async isRevoked(jti: string): Promise<boolean> {
return await redis.exists(`revoked:${jti}`);
}
}
OAuth 2.0 + PKCE Flow
// 1. Generate PKCE challenge
function generatePKCE() {
const verifier = crypto.randomBytes(32).toString('base64url');
const challenge = crypto
.createHash('sha256')
.update(verifier)
.digest('base64url');
return { verifier, challenge };
}
// 2. Authorization request
const authUrl = new URL('https://auth.example.com/authorize');
authUrl.searchParams.set('client_id', CLIENT_ID);
authUrl.searchParams.set('redirect_uri', REDIRECT_URI);
authUrl.searchParams.set('response_type', 'code');
authUrl.searchParams.set('scope', 'openid profile email');
authUrl.searchParams.set('code_challenge', challenge);
authUrl.searchParams.set('code_challenge_method', 'S256');
authUrl.searchParams.set('state', state);
// 3. Token exchange
async function exchangeCode(code: string, verifier: string) {
const response = await fetch('https://auth.example.com/token', {
method: 'POST',
headers: { 'Content-Type': 'application/x-www-form-urlencoded' },
body: new URLSearchParams({
grant_type: 'authorization_code',
client_id: CLIENT_ID,
code,
redirect_uri: REDIRECT_URI,
code_verifier: verifier,
}),
});
return response.json();
}
Authorization Patterns
RBAC Middleware
type Permission = 'read' | 'write' | 'delete' | 'admin';
type Resource = 'users' | 'orders' | 'products';
const rolePermissions: Record<string, Record<Resource, Permission[]>> = {
admin: {
users: ['read', 'write', 'delete', 'admin'],
orders: ['read', 'write', 'delete', 'admin'],
products: ['read', 'write', 'delete', 'admin'],
},
manager: {
users: ['read'],
orders: ['read', 'write'],
products: ['read', 'write'],
},
user: {
users: ['read'],
orders: ['read'],
products: ['read'],
},
};
function requirePermission(resource: Resource, permission: Permission) {
return (req: Request, res: Response, next: NextFunction) => {
const userRoles = req.user?.roles || [];
const hasPermission = userRoles.some(role => {
const perms = rolePermissions[role]?.[resource] || [];
return perms.includes(permission);
});
if (!hasPermission) {
return res.status(403).json({
type: 'https://api.example.com/errors/forbidden',
title: 'Forbidden',
status: 403,
detail: `Missing permission: ${permission} on ${resource}`,
});
}
next();
};
}
// Usage
app.delete('/users/:id',
authenticate,
requirePermission('users', 'delete'),
deleteUser
);
ABAC Policy Engine
interface Policy {
effect: 'allow' | 'deny';
actions: string[];
resources: string[];
conditions?: Condition[];
}
interface Condition {
field: string;
operator: 'eq' | 'neq' | 'in' | 'contains';
value: any;
}
class PolicyEngine {
private policies: Policy[] = [];
evaluate(context: {
user: User;
action: string;
resource: string;
environment: Record<string, any>;
}): boolean {
for (const policy of this.policies) {
if (!policy.actions.includes(context.action)) continue;
if (!this.matchResource(policy.resources, context.resource)) continue;
if (!this.evaluateConditions(policy.conditions, context)) continue;
return policy.effect === 'allow';
}
return false; // Default deny
}
private evaluateConditions(conditions: Condition[] | undefined, context: any): boolean {
if (!conditions) return true;
return conditions.every(cond => {
const value = this.getNestedValue(context, cond.field);
switch (cond.operator) {
case 'eq': return value === cond.value;
case 'neq': return value !== cond.value;
case 'in': return cond.value.includes(value);
case 'contains': return value?.includes(cond.value);
default: return false;
}
});
}
}
Input Validation & Sanitization
import { z } from 'zod';
import xss from 'xss';
import SqlString from 'sqlstring';
// Schema validation
const CreateUserSchema = z.object({
email: z.string().email().max(255),
name: z.string().min(1).max(100).transform(val => xss(val)),
password: z.string()
.min(12)
.regex(/[A-Z]/, 'Must contain uppercase')
.regex(/[a-z]/, 'Must contain lowercase')
.regex(/[0-9]/, 'Must contain number')
.regex(/[^A-Za-z0-9]/, 'Must contain special character'),
});
// SQL Injection prevention
function safeQuery(template: TemplateStringsArray, ...values: any[]) {
return template.reduce((acc, str, i) => {
return acc + str + (values[i] !== undefined ? SqlString.escape(values[i]) : '');
}, '');
}
// Usage
const sql = safeQuery`SELECT * FROM users WHERE id = ${userId}`;
Rate Limiting
import rateLimit from 'express-rate-limit';
import RedisStore from 'rate-limit-redis';
// Tiered rate limiting
const rateLimits = {
anonymous: rateLimit({
windowMs: 15 * 60 * 1000,
max: 100,
standardHeaders: true,
legacyHeaders: false,
store: new RedisStore({ prefix: 'rl:anon:' }),
}),
authenticated: rateLimit({
windowMs: 15 * 60 * 1000,
max: 1000,
keyGenerator: (req) => req.user?.id || req.ip,
store: new RedisStore({ prefix: 'rl:auth:' }),
}),
sensitive: rateLimit({
windowMs: 60 * 60 * 1000, // 1 hour
max: 10, // 10 attempts
keyGenerator: (req) => req.ip,
store: new RedisStore({ prefix: 'rl:sens:' }),
}),
};
// Apply to routes
app.post('/login', rateLimits.sensitive, loginHandler);
app.use('/api', authenticate, rateLimits.authenticated);
Security Headers
import helmet from 'helmet';
app.use(helmet({
contentSecurityPolicy: {
directives: {
defaultSrc: ["'self'"],
scriptSrc: ["'self'"],
styleSrc: ["'self'", "'unsafe-inline'"],
imgSrc: ["'self'", "data:", "https:"],
connectSrc: ["'self'", "https://api.example.com"],
},
},
hsts: {
maxAge: 31536000,
includeSubDomains: true,
preload: true,
},
referrerPolicy: { policy: 'strict-origin-when-cross-origin' },
}));
// Additional headers
app.use((req, res, next) => {
res.setHeader('X-Content-Type-Options', 'nosniff');
res.setHeader('X-Frame-Options', 'DENY');
res.setHeader('Permissions-Policy', 'geolocation=(), microphone=()');
next();
});
Unit Test Template
import { describe, it, expect } from 'vitest';
import request from 'supertest';
import app from './app';
describe('Security Patterns', () => {
describe('Authentication', () => {
it('should reject invalid JWT', async () => {
await request(app)
.get('/api/users')
.set('Authorization', 'Bearer invalid-token')
.expect(401);
});
it('should accept valid JWT', async () => {
const token = generateTestToken({ sub: '123', roles: ['user'] });
await request(app)
.get('/api/users')
.set('Authorization', `Bearer ${token}`)
.expect(200);
});
});
describe('Authorization', () => {
it('should enforce RBAC permissions', async () => {
const userToken = generateTestToken({ sub: '123', roles: ['user'] });
await request(app)
.delete('/api/users/456')
.set('Authorization', `Bearer ${userToken}`)
.expect(403);
});
});
describe('Input Validation', () => {
it('should reject XSS attempts', async () => {
const res = await request(app)
.post('/api/users')
.send({ name: '<script>alert("xss")</script>', email: 'test@test.com' });
expect(res.body.data?.name).not.toContain('<script>');
});
it('should reject SQL injection', async () => {
await request(app)
.get('/api/users?id=1; DROP TABLE users;--')
.expect(400);
});
});
describe('Rate Limiting', () => {
it('should block after threshold', async () => {
for (let i = 0; i < 10; i++) {
await request(app).post('/login').send({ email: 'test@test.com', password: 'wrong' });
}
const res = await request(app)
.post('/login')
.send({ email: 'test@test.com', password: 'wrong' });
expect(res.status).toBe(429);
});
});
});
Troubleshooting
| Issue | Cause | Solution | |-------|-------|----------| | JWT expired prematurely | Clock skew | Add leeway (30s) to verification | | CORS blocked | Missing headers | Configure allowed origins properly | | Rate limit too aggressive | Shared IP (NAT) | Use user ID for authenticated requests | | Token leaked | Stored insecurely | Use httpOnly cookies, short TTL | | XSS vulnerability | Unsanitized output | Always escape user content |
OWASP Top 10 Checklist
- [ ] A01: Broken Access Control → RBAC/ABAC implemented
- [ ] A02: Cryptographic Failures → TLS, secure secrets
- [ ] A03: Injection → Input validation, parameterized queries
- [ ] A04: Insecure Design → Threat modeling done
- [ ] A05: Security Misconfiguration → Headers, defaults
- [ ] A06: Vulnerable Components → Dependencies updated
- [ ] A07: Auth Failures → Strong password, MFA
- [ ] A08: Data Integrity → Signed tokens, CSRF protection
- [ ] A09: Logging Failures → Audit logging enabled
- [ ] A10: SSRF → URL validation, allowlists
Quality Checklist
- [ ] Authentication implemented (JWT/OAuth2)
- [ ] Authorization enforced (RBAC/ABAC)
- [ ] Input validation on all endpoints
- [ ] Rate limiting configured
- [ ] Security headers set
- [ ] Secrets management secure
- [ ] Audit logging enabled
- [ ] Compliance requirements met