lucasacchi/mockupAWS
1
0
Fork 0
Code Issues Pull Requests Actions 4 Packages Projects Releases Wiki Activity
Files
330c547e73494edb05444d3bafe2f80a1fa33eb2
mockupAWS/SECURITY.md
Luca Sacchi Ricciardi cc60ba17ea
Some checks failed
E2E Tests / Run E2E Tests (push) Has been cancelled
Details
E2E Tests / Visual Regression Tests (push) Has been cancelled
Details
E2E Tests / Smoke Tests (push) Has been cancelled
Details
release: v0.5.0 - Authentication, API Keys & Advanced Features 
Complete v0.5.0 implementation:

Database (@db-engineer):
- 3 migrations: users, api_keys, report_schedules tables
- Foreign keys, indexes, constraints, enums

Backend (@backend-dev):
- JWT authentication service with bcrypt (cost=12)
- Auth endpoints: /register, /login, /refresh, /me
- API Keys service with hash storage and prefix validation
- API Keys endpoints: CRUD + rotate
- Security module with JWT HS256

Frontend (@frontend-dev):
- Login/Register pages with validation
- AuthContext with localStorage persistence
- Protected routes implementation
- API Keys management UI (create, revoke, rotate)
- Header with user dropdown

DevOps (@devops-engineer):
- .env.example and .env.production.example
- docker-compose.scheduler.yml
- scripts/setup-secrets.sh
- INFRASTRUCTURE_SETUP.md

QA (@qa-engineer):
- 85 E2E tests: auth.spec.ts, apikeys.spec.ts, scenarios.spec.ts, regression-v050.spec.ts
- auth-helpers.ts with 20+ utility functions
- Test plans and documentation

Architecture (@spec-architect):
- SECURITY.md with best practices
- SECURITY-CHECKLIST.md pre-deployment
- Updated architecture.md with auth flows
- Updated README.md with v0.5.0 features

Documentation:
- Updated todo.md with v0.5.0 status
- Added docs/README.md index
- Complete setup instructions

Dependencies added:
- bcrypt, python-jose, passlib, email-validator

Tested: JWT auth flow, API keys CRUD, protected routes, 85 E2E tests ready

Closes: v0.5.0 milestone
2026-04-07 19:22:47 +02:00

471 lines
14 KiB
Markdown
Raw Blame History

# Security Policy - mockupAWS v0.5.0
> **Version:** 0.5.0
> **Last Updated:** 2026-04-07
> **Status:** In Development
---
## Table of Contents
1. [Security Overview](#security-overview)
2. [Authentication Architecture](#authentication-architecture)
3. [API Keys Security](#api-keys-security)
4. [Rate Limiting](#rate-limiting)
5. [CORS Configuration](#cors-configuration)
6. [Input Validation](#input-validation)
7. [Data Protection](#data-protection)
8. [Security Best Practices](#security-best-practices)
9. [Incident Response](#incident-response)
---
## Security Overview
mockupAWS implements defense-in-depth security with multiple layers of protection:
```
┌─────────────────────────────────────────────────────────────────────────┐
│ SECURITY LAYERS │
├─────────────────────────────────────────────────────────────────────────┤
│ │
│ Layer 1: Network Security │
│ ├── HTTPS/TLS 1.3 enforcement │
│ └── CORS policy configuration │
│ │
│ Layer 2: Rate Limiting │
│ ├── Auth endpoints: 5 req/min │
│ ├── API Key endpoints: 10 req/min │
│ └── General endpoints: 100 req/min │
│ │
│ Layer 3: Authentication │
│ ├── JWT tokens (HS256, 30min access, 7days refresh) │
│ ├── API Keys (hashed storage, prefix identification) │
│ └── bcrypt password hashing (cost=12) │
│ │
│ Layer 4: Authorization │
│ ├── Scope-based API key permissions │
│ └── Role-based access control (RBAC) │
│ │
│ Layer 5: Input Validation │
│ ├── Pydantic request validation │
│ ├── SQL injection prevention │
│ └── XSS protection │
│ │
└─────────────────────────────────────────────────────────────────────────┘
```
---
## Authentication Architecture
### JWT Token Implementation
#### Token Configuration
| Parameter | Value | Description |
|-----------|-------|-------------|
| **Algorithm** | HS256 | HMAC with SHA-256 |
| **Secret Length** | ≥32 characters | Minimum 256 bits |
| **Access Token TTL** | 30 minutes | Short-lived for security |
| **Refresh Token TTL** | 7 days | Longer-lived for UX |
| **Token Rotation** | Enabled | New refresh token on each use |
#### Token Structure
```json
{
"sub": "user-uuid",
"exp": 1712592000,
"iat": 1712590200,
"type": "access",
"jti": "unique-token-id"
}
```
#### Security Requirements
1. **JWT Secret Generation:**
```bash
# Generate a secure 256-bit secret
openssl rand -hex 32
# Store in .env file
JWT_SECRET_KEY=your-generated-secret-here-32chars-min
```
2. **Secret Storage:**
- Never commit secrets to version control
- Use environment variables or secret management
- Rotate secrets periodically (recommended: 90 days)
- Use different secrets per environment
3. **Token Validation:**
- Verify signature integrity
- Check expiration time
- Validate `sub` (user ID) exists
- Reject tokens with `type: refresh` for protected routes
### Password Security
#### bcrypt Configuration
| Parameter | Value | Description |
|-----------|-------|-------------|
| **Algorithm** | bcrypt | Industry standard |
| **Cost Factor** | 12 | ~250ms per hash |
| **Salt Size** | 16 bytes | Random per password |
#### Password Requirements
- Minimum 8 characters
- At least one uppercase letter
- At least one lowercase letter
- At least one number
- At least one special character (!@#$%^&*)
#### Password Storage
```python
# NEVER store plaintext passwords
# ALWAYS hash before storage
import bcrypt
password_hash = bcrypt.hashpw(
password.encode('utf-8'),
bcrypt.gensalt(rounds=12)
)
```
---
## API Keys Security
### Key Generation
```
Format: mk_<prefix>_<random>
Example: mk_a3f9b2c1_xK9mP2nQ8rS4tU7vW1yZ
│ │ │
│ │ └── 32 random chars (base64url)
│ └── 8 char prefix (identification)
└── Fixed prefix (mk_)
```
### Storage Security
| Aspect | Implementation | Status |
|--------|---------------|--------|
| **Storage** | Hash only (SHA-256) | ✅ Implemented |
| **Transmission** | HTTPS only | ✅ Required |
| **Prefix** | First 8 chars stored plaintext | ✅ Implemented |
| **Lookup** | By prefix + hash comparison | ✅ Implemented |
**⚠️ CRITICAL:** The full API key is only shown once at creation. Store it securely!
### Scopes and Permissions
Available scopes:
| Scope | Description | Access Level |
|-------|-------------|--------------|
| `read:scenarios` | Read scenarios | Read-only |
| `write:scenarios` | Create/update scenarios | Write |
| `delete:scenarios` | Delete scenarios | Delete |
| `read:reports` | Read/download reports | Read-only |
| `write:reports` | Generate reports | Write |
| `read:metrics` | View metrics | Read-only |
| `ingest:logs` | Send logs to scenarios | Special |
### API Key Validation Flow
```
┌──────────────┐ ┌──────────────┐ ┌──────────────┐
│ Request │────>│ Extract Key │────>│ Find by │
│ X-API-Key │ │ from Header │ │ Prefix │
└──────────────┘ └──────────────┘ └──────┬───────┘
┌──────────────┐ ┌──────────────┐ ┌──────────────┐
│ Response │<────│ Check Scope │<────│ Hash Match │
│ 200/403 │ │ & Expiry │ │ & Active │
└──────────────┘ └──────────────┘ └──────────────┘
```
---
## Rate Limiting
### Endpoint Limits
| Endpoint Category | Limit | Window | Burst |
|-------------------|-------|--------|-------|
| **Authentication** (`/auth/*`) | 5 requests | 1 minute | No |
| **API Key Management** (`/api-keys/*`) | 10 requests | 1 minute | No |
| **Report Generation** (`/reports/*`) | 10 requests | 1 minute | No |
| **General API** | 100 requests | 1 minute | 20 |
| **Ingest** (`/ingest`) | 1000 requests | 1 minute | 100 |
### Rate Limit Headers
```http
HTTP/1.1 200 OK
X-RateLimit-Limit: 100
X-RateLimit-Remaining: 95
X-RateLimit-Reset: 1712590260
```
### Rate Limit Response
```http
HTTP/1.1 429 Too Many Requests
Content-Type: application/json
Retry-After: 60
{
"error": "rate_limited",
"message": "Rate limit exceeded. Try again in 60 seconds.",
"retry_after": 60
}
```
---
## CORS Configuration
### Allowed Origins
```python
# Development
allowed_origins = [
"http://localhost:5173", # Vite dev server
"http://localhost:3000", # Alternative dev port
]
# Production (configure as needed)
allowed_origins = [
"https://app.mockupaws.com",
"https://api.mockupaws.com",
]
```
### CORS Policy
| Setting | Value | Description |
|---------|-------|-------------|
| `allow_credentials` | `true` | Allow cookies/auth headers |
| `allow_methods` | `["GET", "POST", "PUT", "DELETE"]` | HTTP methods |
| `allow_headers` | `["*"]` | All headers allowed |
| `max_age` | `600` | Preflight cache (10 min) |
### Security Headers
```http
Strict-Transport-Security: max-age=31536000; includeSubDomains
X-Content-Type-Options: nosniff
X-Frame-Options: DENY
X-XSS-Protection: 1; mode=block
Content-Security-Policy: default-src 'self'
```
---
## Input Validation
### SQL Injection Prevention
- ✅ **Parameterized Queries:** SQLAlchemy ORM with bound parameters
- ✅ **No Raw SQL:** All queries through ORM
- ✅ **Input Sanitization:** Pydantic validation before DB operations
```python
# ✅ SAFE - Uses parameterized queries
result = await db.execute(
select(Scenario).where(Scenario.id == scenario_id)
)
# ❌ NEVER DO THIS - Vulnerable to SQL injection
query = f"SELECT * FROM scenarios WHERE id = '{scenario_id}'"
```
### XSS Prevention
- ✅ **Output Encoding:** All user data HTML-escaped in responses
- ✅ **Content-Type Headers:** Proper headers prevent MIME sniffing
- ✅ **CSP Headers:** Content Security Policy restricts script sources
### PII Detection
Built-in PII detection in log ingestion:
```python
pii_patterns = {
'email': r'\b[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\.[A-Z|a-z]{2,}\b',
'ssn': r'\b\d{3}-\d{2}-\d{4}\b',
'credit_card': r'\b(?:\d[ -]*?){13,16}\b',
'phone': r'\b\d{3}[-.]?\d{3}[-.]?\d{4}\b'
}
```
---
## Data Protection
### Data Classification
| Data Type | Classification | Storage | Encryption |
|-----------|---------------|---------|------------|
| Passwords | Critical | bcrypt hash | N/A (one-way) |
| API Keys | Critical | SHA-256 hash | N/A (one-way) |
| JWT Secrets | Critical | Environment | At rest |
| User Emails | Sensitive | Database | TLS transit |
| Scenario Data | Internal | Database | TLS transit |
| Logs | Internal | Database | TLS transit |
### Encryption in Transit
- **TLS 1.3** required for all communications
- **HSTS** enabled with 1-year max-age
- **Certificate pinning** recommended for mobile clients
### Encryption at Rest
- Database-level encryption (PostgreSQL TDE)
- Encrypted backups
- Encrypted environment files
---
## Security Best Practices
### For Administrators
1. **Environment Setup:**
```bash
# Generate strong secrets
export JWT_SECRET_KEY=$(openssl rand -hex 32)
export POSTGRES_PASSWORD=$(openssl rand -base64 32)
```
2. **HTTPS Enforcement:**
- Never run production without HTTPS
- Use Let's Encrypt or commercial certificates
- Redirect HTTP to HTTPS
3. **Secret Rotation:**
- Rotate JWT secrets every 90 days
- Rotate database credentials every 180 days
- Revoke and regenerate API keys annually
4. **Monitoring:**
- Log all authentication failures
- Monitor rate limit violations
- Alert on suspicious patterns
### For Developers
1. **Never Log Secrets:**
```python
# ❌ NEVER DO THIS
logger.info(f"User login with password: {password}")
# ✅ CORRECT
logger.info(f"User login attempt: {user_email}")
```
2. **Validate All Input:**
- Use Pydantic models for request validation
- Sanitize user input before display
- Validate file uploads (type, size)
3. **Secure Dependencies:**
```bash
# Regularly audit dependencies
pip-audit
safety check
```
### For Users
1. **Password Guidelines:**
- Use unique passwords per service
- Enable 2FA when available
- Never share API keys
2. **API Key Management:**
- Store keys in environment variables
- Never commit keys to version control
- Rotate keys periodically
---
## Incident Response
### Security Incident Levels
| Level | Description | Response Time | Actions |
|-------|-------------|---------------|---------|
| **P1** | Data breach, unauthorized access | Immediate | Incident team, legal review |
| **P2** | Potential vulnerability | 24 hours | Security team assessment |
| **P3** | Policy violation | 72 hours | Review and remediation |
### Response Procedures
#### 1. Detection
Monitor for:
- Multiple failed authentication attempts
- Unusual API usage patterns
- Rate limit violations
- Error spikes
#### 2. Containment
```bash
# Revoke compromised API keys
# Rotate JWT secrets
# Block suspicious IP addresses
# Enable additional logging
```
#### 3. Investigation
```bash
# Review access logs
grep "suspicious-ip" /var/log/mockupaws/access.log
# Check authentication failures
grep "401\|403" /var/log/mockupaws/auth.log
```
#### 4. Recovery
- Rotate all exposed secrets
- Force password resets for affected users
- Revoke and reissue API keys
- Deploy security patches
#### 5. Post-Incident
- Document lessons learned
- Update security procedures
- Conduct security training
- Review and improve monitoring
### Contact
For security issues, contact:
- **Security Team:** security@mockupaws.com
- **Emergency:** +1-XXX-XXX-XXXX (24/7)
---
## Security Checklist
See [SECURITY-CHECKLIST.md](./SECURITY-CHECKLIST.md) for pre-deployment verification.
---
*This document is maintained by the @spec-architect team.*
*Last updated: 2026-04-07*
Reference in New Issue View Git Blame Copy Permalink