Skills

start-core/auth-server-primitives

Installation
SKILL.md

Auth Server Primitives

This skill covers the server half of authentication: session storage, cookie issuance, OAuth flow, password-reset hardening, CSRF, rate limiting. For the routing half (_authenticated layout, beforeLoad redirects, RBAC checks), see router-core/auth-and-guards.

CRITICAL: A route guard does NOT protect a createServerFn on that route. Server functions are RPC endpoints reachable by direct POST regardless of which route renders them. Auth must be enforced inside the handler (or via middleware), not on the calling route. CRITICAL: Validating the shape of a client-supplied identifier (z.string().uuid().parse(...)) is not authorization. A parsed UUID is still some tenant — re-check membership against the session principal before using it. CRITICAL: Read session/cookies inside .handler() or middleware .server(), not at module scope. Module-level reads run before requests exist (and are also undefined on Cloudflare Workers).

Session Cookies

The recommended session storage is an HTTP-only cookie holding either an opaque session ID (with server-side lookup) or a signed/encrypted token. The cookie flags matter — set them all.

// src/server/session.ts
import {
  getRequestHeader,
  setResponseHeader,
} from '@tanstack/react-start/server'
Installs
Repository
lightfastai/lightfast
GitHub Stars
16
First Seen
Security Audits
Gen Agent Trust HubPass
SocketPass
SnykPass
start-core/auth-server-primitives — lightfastai/lightfast