Design auth and TLS patterns for smooth local use and secure remote access.
Copy the install command and let the AI configure it · recommended for beginners
Please install the "auth-tls-patterns" skill from askskill: 1. Download https://raw.githubusercontent.com/microsoft/amplifier-bundle-skills/main/skills/auth-tls-patterns/SKILL.md 2. Save it as ~/.claude/skills/auth-tls-patterns/SKILL.md 3. Reload skills and tell me it's ready
Design an authentication scheme for an internal web service: localhost access should not require login, while remote access must use auto-generated Bearer tokens. Explain the middleware logic, environment variable setup, and security considerations.
A clear auth design covering local bypass, remote token validation, configuration guidance, and risk notes.
I am deploying a public API service. Provide an automatic TLS certificate setup plan, including differences between development and production, certificate issuance, renewal strategy, and how to avoid HTTPS friction during local development.
An actionable TLS setup plan covering certificate automation, local developer experience, and production security requirements.
Create a best-practices guide for authentication and TLS in microservices. Focus on which endpoints can be allowed on localhost, when to enable auto-generated tokens, how to default to HTTPS, and common misconfiguration risks.
A structured best-practices checklist that helps teams standardize auth and encrypted transport.
Problem: Your tool serves a web UI. Locally it should just work — no passwords, no login screens. Remotely it needs real authentication and HTTPS. You don't want to configure either manually.
Approach: Socket-level localhost bypass (unforgeable), cascading auth strategies with auto-generation, and a TLS setup cascade that picks the best available method automatically.
Pattern proven in production across multiple Python CLI tools and web services.
The single most important auth decision: localhost connections skip all auth checks. But you MUST use the socket-level client IP, not HTTP headers:
_LOCALHOST_ADDRS = {"127.0.0.1", "::1"}
async def dispatch(self, request: Request, call_next) -> Response:
# client.host is the socket-level IP — cannot be forged by the client
client_host = request.client.host if request.client else ""
if client_host in _LOCALHOST_ADDRS:
return await call_next(request)
This is unforgeable — unlike X-Forwarded-For or the Host header, request.client.host comes from the TCP connection's source address. A remote attacker cannot set it to 127.0.0.1.
A simpler approach checks at the CLI level:
auth_required = resolved_host != "127.0.0.1" and not no_auth
Resolve auth mode through a fallback chain:
def _resolve_auth() -> tuple[str, str]:
"""Fallback chain for non-localhost:
1. PAM available → ("pam", "")
2. MY_TOOL_PASSWORD env → ("password", <env value>)
3. ~/.config/my-tool/password file → ("password", <file value>)
4. Auto-generate → ("password", <generated>)
"""
Auto-generation writes a random password to a file with restricted permissions:
def generate_and_save_password() -> str:
pw = secrets.token_urlsafe(20)
path = get_password_path()
_config_dir() # ensures dir exists with mode 0700
path.write_text(pw + "\n")
path.chmod(0o600)
return pw
A simpler bearer token approach:
def ensure_token() -> str:
"""Return the existing auth token or generate and persist a new one."""
if TOKEN_FILE.exists():
token = TOKEN_FILE.read_text().strip()
if token:
return token
token = secrets.token_urlsafe(32)
TOKEN_FILE.parent.mkdir(parents=True, exist_ok=True)
TOKEN_FILE.write_text(token + "\n")
TOKEN_FILE.chmod(0o600)
return token
The middleware checks Bearer tokens on protected paths:
class AuthMiddleware(BaseHTTPMiddleware):
async def dispatch(self, request, call_next):
if not request.app.state.auth_required:
return await call_next(request)
path = request.url.path
if not _is_protected(path):
return await call_next(request)
auth_header = request.headers.get("authorization", "")
if auth_header.startswith("Bearer "):
token = auth_header[7:]
if token == request.app.state.auth_token:
return await call_next(request)
return JSONResponse(status_code=401, content={"detail": "Unauthorized"})
Implement a three-tier TLS cascade, trying the best option first:
Tailscale available + cert domains? → Real Let's Encrypt cert, auto-renewed
mkcert installed? → Locally-trusted cert, no browser warnings
Neither? → Self-signed via Python cryptography library
Self-signed generation is pure Python — no openssl binary needed:
def generate_self_signed(cert_path, key_path, hostnames=None, days_valid=3650):
from cryptography import x509
from cryptography.hazmat.primitives import hashes, serialization
…
Review code changes for reuse, quality, and efficiency, then fix issues.
Research, plan, and execute large code changes with parallel PR-producing agents.
Get skeptical, practical guidance on architecture, legacy refactors, and tooling decisions.
Analyze images, extract text, and answer visual questions with LLM vision models.
Design robust config and state file handling with safe defaults and crash recovery.
Convert skills from other AI coding assistants into Amplifier-native SKILL.md files.
Securely bridge local clients to remote MCP servers with mTLS authentication.
Review security risks for auth, inputs, secrets, APIs, and sensitive features.
Expose localhost services through public HTTPS, TCP, or UDP tunnels.
Authenticate users with Auth0 and call protected APIs on their behalf.
Scan SSL/TLS configs, issue certificates, and monitor expiration risks.
Build and test an HTTP MCP server with OAuth 2.0 authentication flow.