44 lines
1.5 KiB
Markdown
44 lines
1.5 KiB
Markdown
# Security Architecture
|
|
|
|
## Authentication & Authorization
|
|
|
|
### Current State
|
|
- Backend enforces Auth0 JWT validation via Fastify using `@fastify/jwt` and `get-jwks` (JWKS-based public key retrieval).
|
|
- Protected endpoints require a valid `Authorization: Bearer <token>` header and populate `request.user` on success.
|
|
|
|
### Protected Endpoints (JWT required)
|
|
- Vehicles CRUD endpoints (`/api/vehicles`, `/api/vehicles/:id`)
|
|
- Vehicles dropdown endpoints (`/api/vehicles/dropdown/*`)
|
|
- Fuel logs endpoints (`/api/fuel-logs*`)
|
|
- Stations endpoints (`/api/stations*`)
|
|
|
|
### Unauthenticated Endpoints
|
|
- None
|
|
|
|
## Data Security
|
|
|
|
### VIN Handling
|
|
- VIN validation using industry-standard check digit algorithm
|
|
- VIN decoding via integrated MVP Platform service (FastAPI) with shared database and caching
|
|
- No VIN storage in logs (mask as needed in logging)
|
|
|
|
### Database Security
|
|
- User data isolation via userId foreign keys
|
|
- Soft deletes for audit trail
|
|
- No cascading deletes to prevent data loss
|
|
- Encrypted connections to PostgreSQL
|
|
|
|
## Infrastructure Security
|
|
|
|
### Docker Security
|
|
- Development containers run as non-root users
|
|
- Network isolation between services
|
|
- Environment variable injection for secrets
|
|
- No hardcoded credentials in images
|
|
|
|
### API Client Security
|
|
- Separate authenticated/unauthenticated HTTP clients where applicable
|
|
- Request/response interceptors for error handling
|
|
- Timeout configurations to prevent hanging requests
|
|
- Auth token handling via Auth0 wrapper
|