nextjs-authentication

$npx mdskill add HoangNguyen0403/agent-skills-standard/nextjs-authentication

Use HttpOnly Cookies for token storage. Never use LocalStorage or sessionStorage.

SKILL.md

.github/skills/nextjs-authenticationView on GitHub ↗
---
name: nextjs-authentication
description: Secure token storage (HttpOnly Cookies) and Middleware patterns. Use when implementing authentication, secure session storage, or auth middleware in Next.js.
metadata:
  triggers:
    files:
    - 'middleware.ts'
    - '**/auth.ts'
    - '**/login/page.tsx'
    keywords:
    - cookie
    - jwt
    - session
    - localstorage
    - auth
---
# Authentication & Token Management

## **Priority: P0 (CRITICAL)**

Use HttpOnly Cookies for token storage. Never use LocalStorage or sessionStorage.

## Implementation Guidelines

- **Token Storage**: Strictly use `HttpOnly`, `Secure` cookies with `SameSite: 'Lax'` or `'Strict'`. Set reasonable `maxAge` (e.g., 86400). Never store access tokens in `localStorage` or `sessionStorage` (XSS-vulnerable). LocalStorage causes hydration issues in Server Components.
- **Access Management**: Read and verify tokens in Next.js Middleware (`middleware.ts`) for edge-side redirection and route protection.
- **Next.js 15+ Async**: `cookies()` Promise from `next/headers` and must awaited.
- **Library Selection**: Prefer `next-auth` (Auth.js) or `Clerk` for social logins and session management.
- **Data Access**: Always use DAL (Data Access Layer) to validate credentials and verify cookie presence before rendering.
- **CSRF Protection**: Guard all Server Actions and Route Handlers by verifying Origin/Referer headers.
- **User Verification**: Use `await auth()` (Auth.js) or custom `getSession()` helper in Server Components.

### Example: Auth Middleware

See [implementation examples](references/implementation.md)

### Example: HttpOnly Cookie Setup

See [implementation examples](references/implementation.md)

## Anti-Patterns

- **No localStorage for tokens**: XSS-vulnerable and causes hydration issues.
- **No raw tokens in Client Components**: Pass session state, not tokens.
- **No unprotected Server Actions**: Always verify Origin/Referer headers.

## References

- [Auth Implementation Examples](references/auth-implementation.md)

More from HoangNguyen0403/agent-skills-standard

SkillDescription
android-agp-upgradeUpgrade an Android project to Android Gradle Plugin (AGP) 9. Use when migrating to AGP 9, updating Gradle build files, migrating to built-in Kotlin, or adopting the new AGP DSL.
android-architectureApply Clean Architecture layering, modularization, and Unidirectional Data Flow in Android projects. Use when setting up project structure, placing code in layers, configuring feature/core modules, or implementing UDF patterns.
android-background-workImplement WorkManager and background processing correctly on Android. Use when creating Worker classes, scheduling tasks, choosing between WorkManager and Foreground Services, or setting up Hilt in workers.
android-composeBuild high-performance declarative UI with Jetpack Compose. Use when writing Composable functions, optimizing recomposition, hoisting state, or working with LazyColumn and side effects.
android-compose-migrationMigrate an Android XML View to Jetpack Compose following a structured 10-step workflow. Use when converting XML layouts to Compose, setting up Compose in an existing View-based project, or incrementally adopting Compose.
android-concurrencyWrite correct coroutine scopes, Flow collection, and dispatcher injection in Android. Use when writing suspend functions, choosing between StateFlow and SharedFlow, or injecting Dispatchers for testability.
android-deploymentConfigure release signing, R8 obfuscation, and App Bundle publishing for Android. Use when setting up signing configs, enabling minification, adding ProGuard keep rules, or preparing for Play Store submission.
android-design-systemEnforce Material Design 3 theming and design token usage in Jetpack Compose. Use when implementing M3 components, color schemes, typography, or design tokens.
android-diConfigure Hilt dependency injection with proper scoping, modules, and constructor injection in Android. Use when setting up Hilt DI, defining modules, or configuring component scoping.
android-edge-to-edgeMigrate a Jetpack Compose app to edge-to-edge display and fix system bar inset issues. Use when UI components are obscured by navigation/status bars, fixing IME insets, or enabling edge-to-edge for SDK 35+.