start-core/auth-server-primitives

Installation
SKILL.md

Auth Server Primitives

This skill covers the server half of authentication: session storage, cookie issuance, OAuth flow, password-reset hardening, CSRF, rate limiting. For the routing half (_authenticated layout, beforeLoad redirects, RBAC checks), see router-core/auth-and-guards.

CRITICAL: Protect the data/API boundary first. Server functions, server routes, and other API endpoints that touch private data must enforce auth inside the handler or middleware. Route guards are route UX, not the data security boundary. CRITICAL: Validating the shape of a client-supplied identifier (z.string().uuid().parse(...)) is not authorization. A parsed UUID is still some tenant — re-check membership against the session principal before using it. CRITICAL: Read session/cookies inside .handler() or middleware .server(), not at module scope. Module-level reads run before requests exist (and are also undefined on Cloudflare Workers).

Production Checklist

  • Enforce auth in every server function, server route, or API endpoint that reads or writes private user, tenant, or account data. Use route beforeLoad for page UX, not as the data boundary.
  • Use .validator() on every server function that accepts input.
  • Store sessions in HttpOnly, Secure, SameSite cookies. Do not store session tokens in localStorage or sessionStorage.
  • Hash passwords with bcrypt, scrypt, or Argon2. For missing users, verify against a dummy hash and return the same login/reset message.
  • Rate limit login, registration, and password-reset endpoints.
  • Use CSRF or same-origin protections for non-GET server functions and server routes.
  • Log authentication events and monitor failures.
  • Test direct unauthenticated calls to protected server functions; they should reject before returning data.
Installs
Repository
tanstack/router
GitHub Stars
14.7K
First Seen
start-core/auth-server-primitives — tanstack/router