# Security Architecture

## Authentication & Authorization

### Current State
- Backend enforces Auth0 JWT validation via Fastify using `@fastify/jwt` and `get-jwks` (JWKS-based public key retrieval).
- Protected endpoints require a valid `Authorization: Bearer <token>` header and populate `request.user` on success.

### Protected Endpoints (JWT required)
- Vehicles CRUD endpoints (`/api/vehicles`, `/api/vehicles/:id`)
- Vehicles dropdown endpoints (`/api/vehicles/dropdown/*`)
- Fuel logs endpoints (`/api/fuel-logs*`)
- Stations endpoints (`/api/stations*`)

### Unauthenticated Endpoints
- Health check: `/api/health` (Traefik readiness probe, no JWT required)
- Health check: `/health` (internal Fastify health endpoint)

## Data Security

### VIN Handling
- VIN validation using industry-standard check digit algorithm
- VIN decoding via integrated VIN decode service (TypeScript/Node.js) with shared database and caching
- No VIN storage in logs (mask as needed in logging)

### Database Security
- User data isolation via userId foreign keys
- Soft deletes for audit trail
- Cascading deletes configured where appropriate (CASCADE constraints enforced in migrations)
- PostgreSQL connections run within internal Docker network (unencrypted, network-isolated)

## Infrastructure Security

### Docker Security
- Development containers run as non-root users
- Network isolation between services
- Environment variable injection for secrets
- No hardcoded credentials in images

### API Client Security
- Separate authenticated/unauthenticated HTTP clients where applicable
- Request/response interceptors for error handling
- Timeout configurations to prevent hanging requests
- Auth token handling via Auth0 wrapper