45 lines
1.7 KiB
Markdown
45 lines
1.7 KiB
Markdown
# Security Architecture
|
|
|
|
## Authentication & Authorization
|
|
|
|
### Current State
|
|
- Backend enforces Auth0 JWT validation via Fastify using `@fastify/jwt` and `get-jwks` (JWKS-based public key retrieval).
|
|
- Protected endpoints require a valid `Authorization: Bearer <token>` header and populate `request.user` on success.
|
|
|
|
### Protected Endpoints (JWT required)
|
|
- Vehicles CRUD endpoints (`/api/vehicles`, `/api/vehicles/:id`)
|
|
- Vehicles dropdown endpoints (`/api/vehicles/dropdown/*`)
|
|
- Fuel logs endpoints (`/api/fuel-logs*`)
|
|
- Stations endpoints (`/api/stations*`)
|
|
|
|
### Unauthenticated Endpoints
|
|
- Health check: `/api/health` (Traefik readiness probe, no JWT required)
|
|
- Health check: `/health` (internal Fastify health endpoint)
|
|
|
|
## Data Security
|
|
|
|
### VIN Handling
|
|
- VIN validation using industry-standard check digit algorithm
|
|
- VIN decoding via integrated VIN decode service (TypeScript/Node.js) with shared database and caching
|
|
- No VIN storage in logs (mask as needed in logging)
|
|
|
|
### Database Security
|
|
- User data isolation via userId foreign keys
|
|
- Soft deletes for audit trail
|
|
- Cascading deletes configured where appropriate (CASCADE constraints enforced in migrations)
|
|
- PostgreSQL connections run within internal Docker network (unencrypted, network-isolated)
|
|
|
|
## Infrastructure Security
|
|
|
|
### Docker Security
|
|
- Development containers run as non-root users
|
|
- Network isolation between services
|
|
- Environment variable injection for secrets
|
|
- No hardcoded credentials in images
|
|
|
|
### API Client Security
|
|
- Separate authenticated/unauthenticated HTTP clients where applicable
|
|
- Request/response interceptors for error handling
|
|
- Timeout configurations to prevent hanging requests
|
|
- Auth token handling via Auth0 wrapper
|