🛡️ 测试与安全

net-jwt-auth

为 ASP.NET Core 应用提供完整的 JWT 身份验证与权限控制能力,涵盖令牌签发与校验、密码安全哈希、用户角色与自定义声明管理、刷新令牌机制及细粒度授权策略配置,适用于构建高安全性 Web API。

快捷安装

在终端运行此命令,即可一键安装该 Skill 到您的 Claude 中

npx skills add mitkox/ai-coding-factory --skill "net-jwt-auth"

What I Do

I implement complete JWT authentication:

  • JWT token generation
  • Token validation
  • Refresh token support
  • Role-based authorization
  • Password hashing
  • User claims

When to Use Me

Use this skill when:

  • Adding authentication to API
  • Implementing JWT tokens
  • Setting up authorization
  • Securing API endpoints

Authentication Structure

src/{ProjectName}.Infrastructure/Security/
├── Jwt/
│   ├── IJwtTokenGenerator.cs
│   ├── JwtTokenGenerator.cs
│   ├── IJwtTokenValidator.cs
│   └── JwtTokenValidator.cs
├── Password/
│   ├── IPasswordHasher.cs
│   └── PasswordHasher.cs
├── Claims/
│   └── ClaimConstants.cs
└── Extensions/
    └── AuthenticationExtensions.cs

src/{ProjectName}.Application/Authentication/
├── Commands/
│   ├── RegisterCommand.cs
│   ├── RegisterCommandHandler.cs
│   ├── LoginCommand.cs
│   └── LoginCommandHandler.cs
├── DTOs/
│   ├── RegisterRequest.cs
│   ├── LoginRequest.cs
│   └── AuthResponse.cs
└── Services/
    └── IAuthService.cs

JWT Implementation

Token Generation

public class JwtTokenGenerator : IJwtTokenGenerator
{
    private readonly IOptions<JwtSettings> _jwtSettings;

    public JwtTokenGenerator(IOptions<JwtSettings> jwtSettings)
    {
        _jwtSettings = jwtSettings;
    }

    public string GenerateToken(User user, IList<string> roles)
    {
        var key = new SymmetricSecurityKey(
            Encoding.UTF8.GetBytes(_jwtSettings.Value.Secret));

        var credentials = new SigningCredentials(
            key, SecurityAlgorithms.HmacSha256);

        var claims = new List<Claim>
        {
            new Claim(JwtRegisteredClaimNames.Sub, user.Id.ToString()),
            new Claim(JwtRegisteredClaimNames.Email, user.Email),
            new Claim(JwtRegisteredClaimNames.Jti, Guid.NewGuid().ToString()),
            new Claim(ClaimTypes.NameIdentifier, user.Id.ToString())
        };

        claims.AddRange(roles.Select(role => 
            new Claim(ClaimTypes.Role, role)));

        var token = new JwtSecurityToken(
            issuer: _jwtSettings.Value.Issuer,
            audience: _jwtSettings.Value.Audience,
            claims: claims,
            expires: DateTime.UtcNow.Add(_jwtSettings.Value.Expiry),
            signingCredentials: credentials
        );

        return new JwtSecurityTokenHandler().WriteToken(token);
    }
}

JWT Configuration

{
  "JwtSettings": {
    "Secret": "your-256-bit-secret-key-here",
    "Issuer": "https://yourdomain.com",
    "Audience": "https://yourdomain.com",
    "Expiry": "01:00:00",
    "RefreshTokenExpiry": "07:00:00:00"
  }
}

Authorization Policy

builder.Services.AddAuthorization(options =>
{
    options.AddPolicy("AdminOnly", policy =>
        policy.RequireRole("Admin"));

    options.AddPolicy("CanManageProducts", policy =>
        policy.RequireClaim("Permission", "ManageProducts"));
});

Security Best Practices

  1. Use strong secret key (256+ bits)
  2. Set appropriate token expiration
  3. Implement refresh token rotation
  4. Store refresh tokens securely (hashed)
  5. Use HTTPS in production
  6. Validate all claims
  7. Implement rate limiting
  8. Log authentication events

Example Usage

Implement JWT authentication with:
- User registration
- User login
- Token generation
- Refresh token support
- Role-based authorization
- Password hashing (BCrypt)

I will generate complete JWT authentication implementation.

🔗 相关技巧

superpowers-workflow

遵循结构化流程处理开发任务,涵盖需求澄清、分步规划、测试优先的实现、代码审查与验证总结,适用于功能开发、调试、重构及自动化设计等场景,根据变更风险动态调整流程严格度。

webapp-testing

提供对本地 Web 应用的端到端测试能力,支持启动服务、自动化交互、截图诊断、控制台日志捕获及动态 DOM 分析,适用于验证前端功能与调试 UI 行为。

pr-creator

自动化创建符合规范的拉取请求,涵盖分支切换、模板识别与填充、预检验证及标准化提交,确保代码审查流程的合规性与完整性。

java-python-code-reviewer

提供针对 Java与 Python 代码的深度评审,聚焦正确性、复杂度分析与实现质量。支持算法题解审查,识别边界条件遗漏与性能瓶颈,推荐数据结构优化策略,并对比双语言实现差异,在保证逻辑严谨的同时提升代码可读性与执行效率。