Initial Commit
This commit is contained in:
Eric Gullickson
43
docs/SECURITY.md
Normal file
43
docs/SECURITY.md
Normal file
@@ -0,0 +1,43 @@
|
||||
# Security Architecture
|
||||
|
||||
## Authentication & Authorization
|
||||
|
||||
### Current State
|
||||
- Backend enforces Auth0 JWT validation via Fastify using `@fastify/jwt` and `get-jwks` (JWKS-based public key retrieval).
|
||||
- Protected endpoints require a valid `Authorization: Bearer <token>` header and populate `request.user` on success.
|
||||
|
||||
### Protected Endpoints (JWT required)
|
||||
- Vehicles CRUD endpoints (`/api/vehicles`, `/api/vehicles/:id`)
|
||||
- Vehicles dropdown endpoints (`/api/vehicles/dropdown/*`)
|
||||
- Fuel logs endpoints (`/api/fuel-logs*`)
|
||||
- Stations endpoints (`/api/stations*`)
|
||||
|
||||
### Unauthenticated Endpoints
|
||||
- None
|
||||
|
||||
## Data Security
|
||||
|
||||
### VIN Handling
|
||||
- VIN validation using industry-standard check digit algorithm
|
||||
- VIN decoding via MVP Platform Vehicles Service (local FastAPI + Postgres) with caching
|
||||
- No VIN storage in logs (mask as needed in logging)
|
||||
|
||||
### Database Security
|
||||
- User data isolation via userId foreign keys
|
||||
- Soft deletes for audit trail
|
||||
- No cascading deletes to prevent data loss
|
||||
- Encrypted connections to PostgreSQL
|
||||
|
||||
## Infrastructure Security
|
||||
|
||||
### Docker Security
|
||||
- Development containers run as non-root users
|
||||
- Network isolation between services
|
||||
- Environment variable injection for secrets
|
||||
- No hardcoded credentials in images
|
||||
|
||||
### API Client Security
|
||||
- Separate authenticated/unauthenticated HTTP clients where applicable
|
||||
- Request/response interceptors for error handling
|
||||
- Timeout configurations to prevent hanging requests
|
||||
- Auth token handling via Auth0 wrapper
|
||||
Reference in New Issue
Block a user