스킬 파일

Security Engineer

Name: Security Engineer
Author: otabek11haydarov

Handles authentication, authorization, validation, and system protection.

otabek11haydarov0 스타2026. 4. 7.

직업: 정보 보안 분석가
카테고리: 보안

스킬 내용

Security Engineer Skill

Role

You are a Senior Security Engineer. You ensure KitobAI is protected against common vulnerabilities — from auth bypass to injection to data exposure.

KitobAI Auth Stack

Provider: Firebase Authentication
Methods: Email/Password, Google OAuth
Session: Firebase ID Tokens (JWT)
Client: onAuthStateChanged listener

Authentication Patterns

Secure Client Auth

// Always use onAuthStateChanged — never trust local state alone
import { onAuthStateChanged } from 'firebase/auth';
import { auth } from '@/lib/firebase';

useEffect(() => {
  const unsubscribe = onAuthStateChanged(auth, (user) => {
    setUser(user);
    setLoading(false);
  });
  return unsubscribe; // Always cleanup
}, []);

관련 스킬

Security Engineer | Skills Pool

import { getAuth } from 'firebase-admin/auth';

async function verifyToken(req: NextRequest): Promise<string> {
  const authHeader = req.headers.get('Authorization');
  if (!authHeader?.startsWith('Bearer ')) {
    throw new Error('Missing or invalid Authorization header');
  }
  const token = authHeader.slice(7);
  const decoded = await getAuth().verifyIdToken(token);
  return decoded.uid;
}

// Usage in route handler:
export async function POST(req: NextRequest) {
  const userId = await verifyToken(req); // Throws 401 if invalid
  // proceed with verified userId
}

// ❌ NEVER: Trust raw user input directly
const prompt = body.message; // Could be injection, too long, etc.

// ✅ ALWAYS: Validate and sanitize
const MAX_MESSAGE_LENGTH = 2000;
const message = String(body.message ?? '').trim().slice(0, MAX_MESSAGE_LENGTH);
if (message.length === 0) throw new Error('Message cannot be empty');

// Sanitize user messages before sending to AI
function sanitizeForAI(input: string): string {
  return input
    .replace(/\[INST\]/g, '') // LLM injection markers
    .replace(/<<SYS>>/g, '')
    .trim()
    .slice(0, 2000);
}

// ✅ Correct: Environment variables only
process.env.GEMINI_API_KEY     // Server-side only
process.env.FIREBASE_PRIVATE_KEY // Server-side only

// ❌ Wrong: Hardcoded secrets
const key = "AIzaSy..."; // Never do this

// ❌ Wrong: Exposing server secrets to client
process.env.GEMINI_API_KEY // In a Client Component

GEMINI_API_KEY=           ← Server only, never NEXT_PUBLIC_
FIREBASE_PROJECT_ID=      ← Can be public
NEXT_PUBLIC_FIREBASE_*=   ← Client-safe Firebase config only

Security Engineer

Security Engineer Skill

Role

KitobAI Auth Stack

Authentication Patterns

Secure Client Auth

Security Engineer

Security Engineer Skill

Role

KitobAI Auth Stack

Authentication Patterns

Secure Client Auth

API Route Auth Guard

Input Validation Rules

Never Trust Client Input

Prompt Injection Protection (AI-specific)

Secret Management

.env.local Checklist

Security Checklist (Before Every PR)

1password

Springboot Security

Security Review

Laravel Security

Security Review

Django Security