sk-security

What problem does it solve?

Centralizes secure authentication and authorization for the TimeKast Starter Kit, preventing role/route mistakes and closing common security gaps around NextAuth, RBAC checks, rate limiting, audit logging, and password reset flows.

Core Features & Use Cases

• NextAuth v5 split-config pattern: keeps Edge-safe callbacks in auth.config.ts while Node-only logic (adapter, providers, DB sync) lives in auth.ts.
• Single, correct Route ACL location: enforces Route ACL via authorized() (so auth.user.role is populated) instead of scattering checks across middleware and components.
• SSOT RBAC model: uses ROLE_CONFIG and helpers to define hierarchy, display metadata, invitation rules, and role validation in one place.
• Two-layer authorization model: separates Route ACL (ROUTE_ACL/isRouteAllowed) from resource permissions (PERMISSIONS/hasPermission) to avoid mixing responsibilities.
• Password reset with anti-enumeration guarantees: hashes reset tokens, enforces expiration and one-time use, and ensures requestPasswordReset returns success regardless of user existence.
• Auth hardening infrastructure: ships rate-limit buckets, audit logging helpers, and project-level security headers configuration guidance.
• Practical integration guidance: explains what to wire to kit auth, RBAC guards, and shipped headers to avoid silent auth/ACL failures.

Quick Start

Plug this skill into your kit’s NextAuth integration by wiring the Edge-safe callbacks in src/lib/auth/auth.config.ts and placing route authorization only in authorized() so role-aware ACL works end-to-end.