# Security Architecture

## Authentication & Authorization

### Current State
- Backend enforces Auth0 JWT validation via Fastify using `@fastify/jwt` and `get-jwks` (JWKS-based public key retrieval).
- Protected endpoints require a valid `Authorization: Bearer <token>` header and populate `request.user` on success.

### Protected Endpoints (JWT required)
- Vehicles CRUD endpoints (`/api/vehicles`, `/api/vehicles/:id`)
- Vehicles dropdown endpoints (`/api/vehicles/dropdown/*`)
- Fuel logs endpoints (`/api/fuel-logs*`)
- Stations endpoints (`/api/stations*`)

### Unauthenticated Endpoints
- None

## Data Security

### VIN Handling
- VIN validation using industry-standard check digit algorithm
- VIN decoding via MVP Platform Vehicles Service (local FastAPI + Postgres) with caching
- No VIN storage in logs (mask as needed in logging)

### Database Security
- User data isolation via userId foreign keys
- Soft deletes for audit trail
- No cascading deletes to prevent data loss
- Encrypted connections to PostgreSQL

## Infrastructure Security

### Docker Security
- Development containers run as non-root users
- Network isolation between services
- Environment variable injection for secrets
- No hardcoded credentials in images

### API Client Security
- Separate authenticated/unauthenticated HTTP clients where applicable
- Request/response interceptors for error handling
- Timeout configurations to prevent hanging requests
- Auth token handling via Auth0 wrapper