egullickson/motovaultpro
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
0cdb9803de2c2fdccc86f0dc795cf48b6f4fd13c
motovaultpro/docs/security.md
Eric Gullickson e22d643ae3 Security Fixes
2025-08-24 14:39:50 -05:00

82 lines
3.0 KiB
Markdown
Raw Blame History

# Security Architecture
## Authentication & Authorization
### Current State (MVP / Dev)
- Backend uses a Fastify authentication plugin that injects a mock user for development/test.
- JWT validation via Auth0 is not yet enabled on the backend; the frontend Auth0 flow works independently.
### Intended Production Behavior
All vehicle CRUD operations require JWT authentication via Auth0:
- `POST /api/vehicles` - Create vehicle
- `GET /api/vehicles` - Get user vehicles
- `GET /api/vehicles/:id` - Get specific vehicle
- `PUT /api/vehicles/:id` - Update vehicle
- `DELETE /api/vehicles/:id` - Delete vehicle
### Unauthenticated Endpoints
#### Vehicle Dropdown Data API
The following endpoints are intentionally unauthenticated to support form population before user login:
```
GET /api/vehicles/dropdown/makes
GET /api/vehicles/dropdown/models/:make
GET /api/vehicles/dropdown/transmissions
GET /api/vehicles/dropdown/engines
GET /api/vehicles/dropdown/trims
```
**Security Considerations:**
- **Data Exposure**: Only exposes public NHTSA vPIC vehicle specification data
- **No User Data**: Contains no sensitive user information or business logic
- **Read-Only**: All endpoints are GET requests with no mutations
- **Caching**: 7-day Redis caching reduces external API abuse
- **Error Handling**: Generic error responses prevent system information disclosure
**Known Risks:**
1. **API Abuse**: No rate limiting allows unlimited calls
2. **Resource Consumption**: Could exhaust NHTSA API rate limits
3. **Cache Poisoning**: Limited input validation on make parameter
4. **Information Disclosure**: Exposes system capabilities to unauthenticated users
**Recommended Mitigations for Production:**
1. **Rate Limiting**: Implement request rate limiting (e.g., 100 requests/hour per IP)
2. **Input Validation**: Sanitize make parameter in controller
3. **CORS Restrictions**: Limit to application domain
4. **Monitoring**: Add abuse detection logging
5. **API Gateway**: Consider moving to API gateway with built-in rate limiting
**Risk Assessment**: ACCEPTABLE for MVP
- Low risk due to public data exposure only
- UX benefits outweigh security concerns
- Mitigations can be added incrementally
## Data Security
### VIN Handling
- VIN validation using industry-standard check digit algorithm
- VIN decoding via NHTSA vPIC API
- Cached VIN decode results (30-day TTL)
- No VIN storage in logs (masked in logging middleware)
### Database Security
- User data isolation via userId foreign keys
- Soft deletes for audit trail
- No cascading deletes to prevent data loss
- Encrypted connections to PostgreSQL
## Infrastructure Security
### Docker Security
- Development containers run as non-root users
- Network isolation between services
- Environment variable injection for secrets
- No hardcoded credentials in images
### API Client Security
- Separate authenticated/unauthenticated HTTP clients
- Request/response interceptors for error handling
- Timeout configurations to prevent hanging requests
- Auth token handling via Auth0 wrapper
Reference in New Issue View Git Blame Copy Permalink