Skip to content

Security: Jakedismo/knowledge-network

Security

docs/SECURITY.md

Security Documentation - Knowledge Network Authentication System

Overview

This document provides comprehensive security documentation for the Knowledge Network React Application's authentication and authorization system. The system implements industry-standard security practices including JWT-based authentication, role-based access control (RBAC), session management, and SSO integration.

Architecture

Security Components

┌─────────────────┐    ┌─────────────────┐    ┌─────────────────┐
│   Frontend      │────│  API Gateway    │────│  Auth Service   │
│   (React)       │    │  (Middleware)   │    │  (JWT/Session)  │
└─────────────────┘    └─────────────────┘    └─────────────────┘
                                │                       │
                       ┌─────────────────┐    ┌─────────────────┐
                       │ Security Layer  │────│  RBAC Service   │
                       │ (Rate Limiting) │    │  (Permissions)  │
                       └─────────────────┘    └─────────────────┘
                                │                       │
                       ┌─────────────────┐    ┌─────────────────┐
                       │   SSO Service   │────│ Session Service │
                       │ (SAML/OAuth2)   │    │ (Management)    │
                       └─────────────────┘    └─────────────────┘

Authentication System

JWT Token Management

The system uses a dual-token approach for secure authentication:

  • Access Tokens: Short-lived (15 minutes) tokens for API access
  • Refresh Tokens: Long-lived (7 days) tokens for token renewal

Token Structure

// Access Token Payload
{
  sub: "user_id",           // Subject (User ID)
  email: "user@example.com", // User email
  sessionId: "session_123",  // Session identifier
  workspaceId: "ws_456",    // Current workspace
  roles: ["user", "admin"], // User roles
  permissions: [...],       // Explicit permissions
  type: "access",           // Token type
  iat: 1234567890,         // Issued at
  exp: 1234568790          // Expires at
}

Token Security Features

  • Algorithm: HS256 (HMAC with SHA-256)
  • Issuer/Audience Validation: Prevents token misuse
  • Session Validation: Tokens tied to active sessions
  • Automatic Rotation: Refresh tokens rotated on use

Password Security

Hashing Algorithm

  • Library: bcryptjs
  • Salt Rounds: 12 (configurable)
  • Timing Attack Protection: Constant-time comparisons

Password Requirements

  • Minimum 8 characters
  • At least one uppercase letter
  • At least one lowercase letter
  • At least one number
  • At least one special character

Implementation Example

// Password hashing
const saltRounds = 12;
const hashedPassword = await bcrypt.hash(password, saltRounds);

// Password verification
const isValid = await bcrypt.compare(password, hashedPassword);

Authorization System (RBAC)

Role-Based Access Control

The RBAC system implements fine-grained permissions with the following hierarchy:

System Roles:
├── Administrator (Full access)
├── User (Standard access)
└── Viewer (Read-only access)

Workspace Roles:
├── Workspace Admin
├── Editor
├── Contributor
└── Guest

Permission Model

Permissions follow the pattern: resource:action

Resources

  • knowledge - Knowledge base articles
  • workspace - Workspace management
  • user - User management
  • tag - Tag management
  • collection - Collection management
  • comment - Comment system
  • search - Search functionality
  • analytics - Analytics and reporting
  • integration - External integrations
  • admin - System administration

Actions

  • create - Create new resources
  • read - Read/view resources
  • update - Modify existing resources
  • delete - Remove resources
  • share - Share resources
  • comment - Add comments
  • admin - Administrative actions
  • manage - Full management rights

Permission Checking

// Check permission
const result = await rbacService.checkPermission({
  userId: 'user_123',
  resource: 'knowledge',
  action: 'create',
  workspaceId: 'ws_456'
});

if (result.granted) {
  // Proceed with action
} else {
  // Access denied
}

Session Management

Session Security Features

  • Secure Session IDs: Cryptographically secure random generation
  • Session Expiration: Configurable TTL (default: 24 hours)
  • Session Limits: Maximum sessions per user (default: 10)
  • Activity Tracking: Last accessed time and activity logging
  • Concurrent Session Control: Automatic cleanup of old sessions

Session Data Structure

interface Session {
  id: string;              // Unique session ID
  userId: string;          // Associated user
  workspaceId?: string;    // Current workspace
  deviceInfo?: string;     // Device information
  ipAddress?: string;      // Client IP
  userAgent?: string;      // Browser/client info
  isActive: boolean;       // Session status
  lastAccessed: Date;      // Last activity
  createdAt: Date;         // Creation time
  expiresAt: Date;         // Expiration time
}

Single Sign-On (SSO)

Supported Providers

  1. Google OAuth2

    • Scope: openid email profile
    • Authorization URL: https://accounts.google.com/o/oauth2/v2/auth

  2. Microsoft OAuth2

    • Scope: openid email profile
    • Authorization URL: https://login.microsoftonline.com/common/oauth2/v2.0/authorize

  3. SAML 2.0

    • Supports enterprise identity providers
    • Configurable assertion signing requirements

SSO Configuration

// Environment variables for SSO setup
GOOGLE_CLIENT_ID="your-google-client-id"
GOOGLE_CLIENT_SECRET="your-google-client-secret"
MICROSOFT_CLIENT_ID="your-microsoft-client-id"
MICROSOFT_CLIENT_SECRET="your-microsoft-client-secret"
SAML_ENTRY_POINT="https://your-idp.com/saml/login"
SAML_CERT="-----BEGIN CERTIFICATE-----..."

Security Middleware

Rate Limiting

Protects against abuse and DoS attacks:

  • Window: 15 minutes (configurable)
  • Max Requests: 100 per window (configurable)
  • Identification: IP address + User ID (if authenticated)
  • Response: HTTP 429 with Retry-After header

CORS Protection

const corsConfig = {
  origins: ['https://yourdomain.com'],
  methods: ['GET', 'POST', 'PUT', 'DELETE'],
  allowCredentials: true
};

Security Headers

Automatically applied to all responses:

X-Content-Type-Options: nosniff
X-Frame-Options: DENY
X-XSS-Protection: 1; mode=block
Referrer-Policy: strict-origin-when-cross-origin
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
Content-Security-Policy: default-src 'self'; script-src 'self'; ...

Input Sanitization

All user inputs are sanitized to prevent XSS attacks:

// Automatic sanitization
const sanitized = sanitizeInput(userInput);
// Removes: <script>, javascript:, on* events, etc.

API Security

Authentication Flow

  1. Login Request

    POST /api/auth/login
Content-Type: application/json

{
  "email": "user@example.com",
  "password": "securepassword123"
}

  2. Response

    HTTP/1.1 200 OK
Content-Type: application/json

{
  "success": true,
  "tokens": {
    "accessToken": "eyJhbGciOiJIUzI1NiIs...",
    "refreshToken": "eyJhbGciOiJIUzI1NiIs...",
    "expiresIn": 900
  },
  "user": { ... }
}

  3. Authenticated Requests

    GET /api/protected-endpoint
Authorization: Bearer eyJhbGciOiJIUzI1NiIs...

Error Handling

Security-conscious error responses:

// Authentication errors
{
  "error": "Authentication failed",
  "code": "AUTH_FAILED",
  "message": "Invalid credentials"
}

// Authorization errors
{
  "error": "Insufficient permissions",
  "code": "FORBIDDEN",
  "message": "Access denied for resource"
}

// Rate limiting
{
  "error": "Rate limit exceeded",
  "code": "RATE_LIMITED",
  "retryAfter": 300
}

Security Monitoring & Auditing

Security Event Logging

All security-related events are logged:

interface SecurityEvent {
  type: 'authentication' | 'authorization' | 'rate_limit' | 'suspicious';
  severity: 'low' | 'medium' | 'high' | 'critical';
  message: string;
  userId?: string;
  ip?: string;
  userAgent?: string;
  endpoint?: string;
  timestamp: Date;
}

Monitored Events

  • Failed login attempts
  • Permission denials
  • Rate limit violations
  • Suspicious activity patterns
  • Token validation failures
  • Session anomalies

Alerting

Critical security events trigger immediate alerts:

  • Multiple failed logins from same IP
  • Permission escalation attempts
  • Unusual access patterns
  • Token manipulation attempts

Deployment Security

Environment Configuration

# Required security environment variables
JWT_SECRET="minimum-32-character-secure-secret"
JWT_REFRESH_SECRET="different-32-character-secure-secret"
DATABASE_URL="postgresql://user:pass@host:5432/db"
REDIS_URL="redis://host:6379"

# Optional security features
ENABLE_RATE_LIMITING=true
ENABLE_CSRF_PROTECTION=true
CORS_ORIGINS="https://yourdomain.com"

SSL/TLS Requirements

  • Minimum TLS Version: 1.2
  • Certificate Validation: Required in production
  • HSTS: Enabled with includeSubDomains
  • Secure Cookies: HTTPOnly, Secure, SameSite

Database Security

  • Connection Encryption: Required for production
  • Password Hashing: bcrypt with salt rounds ≥ 12
  • Sensitive Data: Encrypted at rest
  • Access Control: Principle of least privilege

Security Best Practices

Development Guidelines

  1. Never log sensitive data (passwords, tokens, PII)
  2. Use parameterized queries to prevent SQL injection
  3. Validate all inputs on both client and server
  4. Implement proper error handling without information leakage
  5. Use secure headers for all responses
  6. Regular security updates for dependencies

Operational Security

  1. Regular security audits of code and infrastructure
  2. Dependency vulnerability scanning with automated updates
  3. Access logging and monitoring for all security events
  4. Incident response plan for security breaches
  5. Regular backup testing and recovery procedures

Code Review Checklist

  • Input validation implemented
  • Authentication/authorization checks present
  • Sensitive data properly protected
  • Error handling doesn't leak information
  • Dependencies are up to date
  • Security headers configured
  • Rate limiting applied where appropriate
  • Audit logging implemented

Incident Response

Security Incident Classification

  • P0 (Critical): Data breach, system compromise
  • P1 (High): Authentication bypass, privilege escalation
  • P2 (Medium): DoS attacks, suspicious activity
  • P3 (Low): Failed login attempts, minor violations

Response Procedures

  1. Detection: Automated monitoring alerts
  2. Assessment: Severity and impact evaluation
  3. Containment: Immediate threat mitigation
  4. Investigation: Root cause analysis
  5. Recovery: System restoration and hardening
  6. Lessons Learned: Post-incident review and improvements

Emergency Contacts

Compliance & Standards

Security Standards Compliance

  • OWASP Top 10: Protection against common vulnerabilities
  • ISO 27001: Information security management
  • SOC 2 Type II: Security and availability controls
  • GDPR: Data protection and privacy (where applicable)

Regular Security Assessments

  • Quarterly: Dependency vulnerability scans
  • Semi-annually: Penetration testing
  • Annually: Full security audit
  • Continuous: Automated security monitoring

Quick Reference

Environment Setup

# Copy environment template
cp .env.example .env.local

# Generate JWT secrets
openssl rand -base64 32  # For JWT_SECRET
openssl rand -base64 32  # For JWT_REFRESH_SECRET

API Endpoints

  • POST /api/auth/login - User authentication
  • POST /api/auth/refresh - Token refresh
  • POST /api/auth/logout - User logout
  • GET /api/auth/me - Get current user
  • POST /api/auth/change-password - Change password
  • GET /api/auth/sso/providers - Available SSO providers
  • GET /api/auth/sso/{provider}/login - Initiate SSO login

Testing Authentication

# Install dependencies
bun install

# Run tests
bun test src/lib/auth/

# Test authentication flow
curl -X POST http://localhost:3000/api/auth/login \
  -H "Content-Type: application/json" \
  -d '{"email":"test@example.com","password":"password123"}'

This security documentation should be regularly updated as the system evolves and new security requirements are identified.

There aren’t any published security advisories