1.5 KiB
1.5 KiB
Security Architecture
Authentication & Authorization
Current State
- Backend enforces Auth0 JWT validation via Fastify using
@fastify/jwtandget-jwks(JWKS-based public key retrieval). - Protected endpoints require a valid
Authorization: Bearer <token>header and populaterequest.useron success.
Protected Endpoints (JWT required)
- Vehicles CRUD endpoints (
/api/vehicles,/api/vehicles/:id) - Vehicles dropdown endpoints (
/api/vehicles/dropdown/*) - Fuel logs endpoints (
/api/fuel-logs*) - Stations endpoints (
/api/stations*)
Unauthenticated Endpoints
- None
Data Security
VIN Handling
- VIN validation using industry-standard check digit algorithm
- VIN decoding via integrated MVP Platform service (FastAPI) with shared database and caching
- No VIN storage in logs (mask as needed in logging)
Database Security
- User data isolation via userId foreign keys
- Soft deletes for audit trail
- No cascading deletes to prevent data loss
- Encrypted connections to PostgreSQL
Infrastructure Security
Docker Security
- Development containers run as non-root users
- Network isolation between services
- Environment variable injection for secrets
- No hardcoded credentials in images
API Client Security
- Separate authenticated/unauthenticated HTTP clients where applicable
- Request/response interceptors for error handling
- Timeout configurations to prevent hanging requests
- Auth token handling via Auth0 wrapper