Add authentication rule for Fastify with @fastify/jwt and @fastify/auth

[Copilot]

New authentication.md rule added to the fastify-best-practise skill covering JWT-based auth and multi-strategy composition.

New rule: rules/authentication.md (HIGH impact)

• @fastify/jwt plugin setup — shared plugin with authenticate decorator vs. inline token parsing
• Route protection — preHandler hook pattern, scoped auth via _hooks.ts with autoload
• Token lifecycle — login/refresh endpoints with Zod schema validation for request bodies and responses using FastifyPluginAsyncZod
• Multi-strategy auth — @fastify/auth composing JWT + API key strategies
• TypeScript — module augmentation for decorators and FastifyJWT payload types
• Testing — authenticated route testing with server.jwt.sign() + inject()

Documentation updates

• Added Authentication to the rules table in SKILL.md, README.md, and AGENTS.md
• Updated "Auth/middleware" usage entry in SKILL.md to reference authentication.md
• Added missing Logging row to README.md and AGENTS.md rules tables

Core pattern

// src/routes/auth/schema.ts
import { z } from "zod";

export const loginBodySchema = z.object({
  email: z.string().email(),
  password: z.string().min(8),
});

export const tokenResponseSchema = z.object({
  token: z.string(),
});

// src/routes/auth/index.ts
import { FastifyPluginAsyncZod } from "fastify-type-provider-zod";
import { loginBodySchema, tokenResponseSchema, errorResponseSchema } from "./schema.js";

const authRoutes: FastifyPluginAsyncZod = async function (fastify) {
  fastify.post("/login", {
    schema: {
      body: loginBodySchema,
      response: { 200: tokenResponseSchema, 401: errorResponseSchema },
    },
  }, async (request, reply) => {
    const { email, password } = request.body;
    const user = await verifyCredentials(email, password);
    if (!user) { reply.status(401); return { error: "Invalid credentials" }; }
    const token = fastify.jwt.sign({ id: user.id, role: user.role }, { expiresIn: "1h" });
    return { token };
  });
};

// src/plugins/jwt.ts
import fp from "fastify-plugin";
import fjwt from "@fastify/jwt";

async function jwtPlugin(fastify) {
  await fastify.register(fjwt, { secret: fastify.config.JWT_SECRET });
  fastify.decorate("authenticate", async (request, reply) => {
    try { await request.jwtVerify(); }
    catch { reply.status(401); return reply.send({ error: "Unauthorized" }); }
  });
}

export default fp(jwtPlugin, { name: "jwt", fastify: "5.x" });

Original prompt

Can you generate an authentication rule for Fastify?
I want to use this plugin https://fastify.dev

---

🔒 GitHub Advanced Security automatically protects Copilot coding agent pull requests. You can protect all pull requests by enabling Advanced Security for your repositories. Learn more about Advanced Security.

[changeset-bot]

🦋 Changeset detected

Latest commit: 248f022

The changes in this PR will be included in the next version bump.

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

[Puppo]

@copilot fix the comment

[Puppo]

Can you add the Zod schema to the body of the requests and responses?

[Copilot]

Added Zod schemas for request bodies and responses in the login/refresh endpoints. The section now uses FastifyPluginAsyncZod with separate schema.ts file defining loginBodySchema, refreshBodySchema, tokenResponseSchema, and errorResponseSchema. See commit 248f022.

[Copilot]

@copilot fix the comment

Fixed in 248f022 — added Zod schemas to the auth route bodies and responses.