saas-auth-patterns
Explores SaaS authentication patterns, including JWT, RBAC, and multi-tenant strategies for secure application access.
Install this skill
Security score
The saas-auth-patterns skill was audited on May 20, 2026 and we found 12 security issues across 3 threat categories. Review the findings below before installing.
Categories Tested
Security Issues
Template literal with variable interpolation in command context
| 63 | await db.$executeRaw`SELECT set_config('app.tenant_id', ${tenantId}, true)` |
Template literal with variable interpolation in command context
| 74 | const schema = `tenant_${tenantId}` |
Template literal with variable interpolation in command context
| 76 | return new PrismaClient({ datasources: { db: { url: `${DB_URL}?schema=${schema}` } } }) |
Template literal with variable interpolation in command context
| 169 | const fullKey = `sk_live_${raw}` |
Template literal with variable interpolation in command context
| 201 | const newFullKey = await createApiKey(tenantId, `${oldKey.name} (rotated)`, oldKey.scopes) |
Template literal with variable interpolation in command context
| 218 | const link = `${process.env.APP_URL}/auth/verify?token=${token}` |
Template literal with variable interpolation in command context
| 219 | await sendEmail(email, 'Sign in', `Click to sign in: ${link}`) |
Template literal with variable interpolation in command context
| 333 | fetch('/api/data', { headers: { Authorization: `Bearer ${localStorage.getItem('token')}` } }) |
Template literal with variable interpolation in command context
| 339 | `access_token=${accessToken}`, |
Fetch to external URL
| 333 | fetch('/api/data', { headers: { Authorization: `Bearer ${localStorage.getItem('token')}` } }) |
Access to .env file
| 218 | const link = `${process.env.APP_URL}/auth/verify?token=${token}` |
Access to .env file
| 251 | const qrUri = authenticator.keyuri(userId, process.env.APP_NAME ?? 'My App', secret) |