feat: auth skills

Author: Areo-Joe

config/skills/auth-skill/SKILL.md

@@ -0,0 +1,92 @@
+---
+name: CloudBase Auth
+description: A single skill that helps design and implement CloudBase Auth v2 using Web SDK, Node SDK, and HTTP APIs, including login methods, tokens, and best practices.
+---
+
+## When to use this skill
+
+Use this skill whenever the task involves **authentication or user identity** in a CloudBase project, for example:
+
+- Designing which login methods to support (anonymous, username/password, SMS, email, WeChat, custom login)
+- Implementing auth with **Web SDK** (`@cloudbase/js-sdk@2.x`) on the frontend
+- Working with **Node SDK** for user info, admin operations, or issuing **custom login tickets**
+- Calling **HTTP auth APIs** directly from any backend or script
+- Understanding tokens, login state, and auth-related best practices
+
+If the task is not about authentication (e.g. only about database or storage), this skill is probably not needed.
+
+## Quick orientation
+
+CloudBase Auth v2 provides:
+
+- Multiple **login methods** with a unified user identity system
+- Clear **user types** (internal, external, anonymous) and account linking
+- A token-based **session model** with JWT access tokens and refresh tokens
+- SDKs (Web, Node) and **HTTP APIs** that expose the same core flows
+
+This `SKILL.md` acts as a **launcher**. For deeper details, read the linked files only as needed.
+
+## Table of contents (progressive disclosure)
+
+### 1. Concepts & design
+
+- `concepts/overview.md` – what CloudBase Auth v2 is, high-level architecture, and where to configure it.
+- `concepts/login_methods.md` – supported login methods, when to use each, and tradeoffs.
+- `concepts/user_accounts_and_roles.md` – internal vs external vs anonymous users, UIDs, and multi-account linking.
+- `concepts/tokens_and_sessions.md` – access_token vs refresh_token, v1 vs v2, and validation.
+
+### 2. Web SDK (`@cloudbase/js-sdk@2.x`)
+
+- `web-sdk/web_quickstart.md` – install/init SDK, get `auth` instance, basic sign-up/sign-in flow.
+- `web-sdk/web_login_flows.md` – concrete flows for:
+  - Username/password
+  - SMS verification code login
+  - Email verification code login
+  - Anonymous login and upgrade
+  - WeChat OAuth login
+- `web-sdk/captcha_and_rate_limits.md` – when captchas are triggered, how to integrate the captcha adapter + UI, and how to handle errors.
+- `web-sdk/web_best_practices.md` – avoiding redundant logins, login-state persistence, and common UX patterns.
+
+### 3. Node SDK & custom login
+
+- `node-sdk/node_overview_and_user_info.md` – using the Node SDK to get user info, end-user info, query users, and read client IP.
+- `node-sdk/node_custom_login_ticket.md` – issuing custom login tickets on the server and integrating with your own user system.
+
+### 4. HTTP APIs
+
+- `http-api/http_overview.md` – the HTTP API surface for auth and how to discover endpoints.
+- `http-api/http_login_and_token_flows.md` – high-level flows for sign-in, sign-up, anonymous login, token grant/refresh/revoke, and user operations over HTTP.
+
+### 5. Troubleshooting & FAQ
+
+- `troubleshooting/faq.md` – common questions and pitfalls: anonymous vs unauthenticated, token expiry, verification limits, etc.
+
+## How to use this skill
+
+When working on a CloudBase auth task, follow this sequence:
+
+1. **Clarify the scenario**
+   - Is this **frontend Web**, **Node backend/cloud function**, or a generic backend calling **HTTP APIs**?
+   - What login methods are required (e.g. phone, email, WeChat, custom SSO, anonymous trial)?
+   - Are there existing users/identity systems that must be integrated?
+
+2. **Load only the relevant conceptual context**
+   - For high-level decisions, read:
+     - `concepts/overview.md`
+     - `concepts/login_methods.md`
+     - `concepts/user_accounts_and_roles.md`
+   - Read `concepts/tokens_and_sessions.md` only if token behavior or migration is important to the task.
+
+3. **Jump to the relevant implementation section**
+   - For **Web** implementation details, read `web-sdk/web_quickstart.md` and then the specific flow file (e.g. `web-sdk/web_login_flows.md`, `web-sdk/captcha_and_rate_limits.md`).
+   - For **Node/server** logic or custom login ticket issuance, use the `node-sdk/` files.
+   - For **language-agnostic HTTP integration**, use the `http-api/` files.
+
+4. **Design first, then code**
+   - Use the conceptual files to pick login methods, user types, and token strategy.
+   - Then use Web/Node/HTTP sections to implement and verify the flow end-to-end.
+
+5. **Use troubleshooting only when needed**
+   - Only read `troubleshooting/faq.md` when the user has issues like “anonymous vs not logged in”, unexpected expiration, or captcha errors.
+
+Keep this file short in context. Load deeper files selectively based on the user’s question to keep the context window efficient.

config/skills/auth-skill/concepts/login_methods.md

@@ -0,0 +1,108 @@
+## Login methods in CloudBase Auth v2
+
+This file summarizes the login methods and when to use them.
+
+### Anonymous login
+
+**What it is**
+
+- The SDK creates an **anonymous user** with a stable `uid` on the device.
+- The user can access CloudBase resources according to your security rules.
+
+**Typical use cases**
+
+- Guest users trying a product without registration.
+- Games or apps where you want to store personal progress before sign-up.
+
+**Key points**
+
+- One anonymous user per device; it **never expires** logically, but clearing local data may drop it.
+- You can later **upgrade** an anonymous user to a formal user (see below).
+
+### Username/password login
+
+**What it is**
+
+- User logs in with a **username** and **password**.
+- `username` can be:
+  - Phone number
+  - Email
+  - Custom username
+
+**Key points**
+
+- Direct sign-up via “username + password” alone is **not allowed**.
+- Users are usually registered via SMS/email verification, then a username is bound.
+- This reduces spam/abuse from arbitrary username registrations.
+
+### SMS verification code login
+
+**What it is**
+
+- User logs in with **phone number + SMS code**.
+
+**Key points**
+
+- Requires enabling SMS login and configuring SMS sending.
+- Flow typically:
+  1. Send verification code to phone.
+  2. Verify code.
+  3. Login or sign-up depending on whether the user exists.
+- Subject to per-number **frequency limits** (e.g. 30 seconds between sends, daily quotas).
+
+### Email verification code login
+
+**What it is**
+
+- User logs in with **email + one-time email code**.
+
+**Key points**
+
+- Requires enabling email login and setting up SMTP (sender, host, port, security mode).
+- Similar flow to SMS:
+  1. Send verification to email.
+  2. Verify code.
+  3. Login or sign-up.
+
+### WeChat login
+
+**What it is**
+
+- Login via **WeChat Open Platform**.
+- Users authorize via WeChat; CloudBase creates or reuses a corresponding user.
+
+**Key points**
+
+- You must configure WeChat app ID/secret in the CloudBase console.
+- The Web SDK helps generate the WeChat OAuth URL and exchange authorization `code` for a provider token.
+- Subsequent calls use a CloudBase token, not the raw WeChat token.
+
+### Custom login
+
+**What it is**
+
+- You already have your own identity system and want to map your user IDs to CloudBase users.
+- Your backend/Cloud Function issues **custom login tickets** signed with a private key.
+
+**Key points**
+
+- Steps:
+  1. Download CloudBase custom login private key from the console.
+  2. Use Node SDK (or HTTP API) to issue tickets for your users.
+  3. The client uses the ticket to log into CloudBase.
+- CloudBase creates a CloudBase user on first login and keeps the mapping to your `customUserId`.
+
+### Anonymous → formal user upgrade
+
+Regardless of the initial login method, you can:
+
+- Let users start anonymously.
+- Later, when they provide phone/email/username, upgrade that anonymous account:
+  - Data created while anonymous is preserved and associated with the new formal identity.
+
+This pattern is critical for:
+
+- Reducing friction at first use.
+- Avoiding data loss when users decide to register.
+
+

config/skills/auth-skill/concepts/overview.md

@@ -0,0 +1,40 @@
+## CloudBase Auth v2 overview
+
+CloudBase Auth v2 is the identity layer for CloudBase. It provides:
+
+- A unified **user account system** with a stable `uid` per user
+- Multiple **login methods** (anonymous, username/password, SMS, email, WeChat, custom login)
+- **Token-based** authentication using JWT `access_token` and long-lived `refresh_token`
+- Tight integration with **database**, **storage**, and **security rules**
+
+From the console perspective, you configure auth in **云开发控制台 → 身份认证** where you can:
+
+- Open or close login methods
+- View and manage users
+- Inspect login records and basic behavior
+
+From the app perspective:
+
+- Every request from a logged-in user carries an auth token.
+- CloudBase validates the token and enforces **permissions** before executing operations.
+
+## Supported login methods
+
+Auth v2 supports:
+
+- **Anonymous login** – frictionless trial, no registration; the user still has a stable `uid` on one device.
+- **Username/password login** – traditional credentials; username can be phone, email, or a custom username.
+- **SMS code login** – phone number + verification code.
+- **Email code login** – email + verification code.
+- **WeChat login** – via WeChat Open Platform for web/mobile apps.
+- **Custom login** – you issue a ticket from your own identity system; CloudBase trusts and maps it to a CloudBase user.
+
+Each method ultimately produces the same kind of CloudBase user and token set. The main differences are in:
+
+- UX and friction
+- Regulation/verification requirements (e.g. phone or email ownership)
+- How you bootstrap the user into your product
+
+Details per login method are summarized in `concepts/login_methods.md`.
+
+

config/skills/auth-skill/concepts/tokens_and_sessions.md

@@ -0,0 +1,89 @@
+## Tokens, sessions, and v1 vs v2 differences
+
+CloudBase Auth v2 uses a **dual token** model:
+
+- Short-lived **access token** (`access_token`)
+- Long-lived **refresh token** (`refresh_token`)
+
+The Web/Node SDKs automatically manage these tokens for you; HTTP integrations need to manage them explicitly.
+
+### Access token (v2)
+
+- Format: **standard JWT**.
+- Encryption/signature: asymmetric (e.g. `ES256` / `RS256` style).
+- Public keys:
+  - Exposed via `https://{{EnvID}}.ap-shanghai.tcb-api.tencentcloudapi.com/auth/v1/certs`
+  - Replace `{{EnvID}}` with your actual environment ID.
+- Supports **distributed verification**:
+  - Any service with the public key can verify tokens without talking back to CloudBase.
+
+Typical properties:
+
+- Short lifetime (e.g. ~2 hours).
+- Used as the bearer token to call CloudBase services.
+
+### Refresh token
+
+Refresh tokens:
+
+- Are long-lived (e.g. ~30 days).
+- Are used to get new access tokens.
+- Are usually stored and rotated by the SDK.
+
+Important behaviors:
+
+- As long as the refresh token is valid, the SDK can silently refresh the access token.
+- For anonymous users, refresh tokens can auto-renew to preserve long-term anonymous sessions.
+
+### v1 vs v2 access tokens (for migration)
+
+Key differences:
+
+- **Format**
+  - v2: standard JWT
+  - v1: non-standard JWT string (often with environment-specific suffixes)
+- **Signing**
+  - v2: asymmetric; public keys rotate regularly
+  - v1: symmetric per-environment key
+- **Verification**
+  - v2: supports distributed verification through public keys
+  - v1: typically verified only by CloudBase itself
+
+When building new systems, prefer **v2**. For migration:
+
+- Be aware that token parsing and validation code must be updated.
+- If you previously depended on v1’s specific string format, refactor to treat v2 as a standard JWT.
+
+### Validating v2 access tokens in your backend
+
+For backends that need to trust CloudBase tokens directly:
+
+1. Choose a JWT library for your language (see `jwt.io`).
+2. Fetch CloudBase public keys:
+   - `https://{{EnvID}}.ap-shanghai.tcb-api.tencentcloudapi.com/auth/v1/certs`
+3. Configure your verifier with:
+   - The key set
+   - Expected issuer (`iss`)
+   - Expected audience (`aud`)
+4. Verify:
+   - Signature is valid
+   - Token is not expired
+   - Claims such as `user_id`, `user_type`, `project_id` meet your expectations
+
+If signature and validity checks pass, you can trust the token as representing a CloudBase user.
+
+### Login state persistence (Web SDK)
+
+In the Web SDK v2:
+
+- Only `local` storage mode is supported for login state.
+- This means:
+  - Login state persists across browser reloads.
+  - It persists until the user explicitly signs out or you clear local data.
+
+Implications:
+
+- UX is smoother (fewer forced re-logins).
+- You should **check for existing login state** on app startup to avoid redundant sign-in flows.
+
+