- Argon2id password hashing
- Password-complexity and minimum-length validation
- Generic password-recovery and verification responses
- Temporary lockout after repeated failed logins
- JWT issuer, expiry, type and required-claim validation
- Short access-token lifetime
- Rotating refresh tokens stored as JTI hashes
- Refresh-token family revocation after reuse detection
- Per-session and global session revocation
- Encrypted TOTP secrets using Fernet with a derived encryption key
- Hashed single-use backup codes
- API keys returned once and stored only as SHA-256 hashes
- API-key scope intersection with the owning user's permissions
- Hashed one-time verification, reset, invitation and email-change tokens
- Role and permission checks on privileged routes
- Organization role enforcement for tenant operations
- Audit records containing actor, action, outcome, request ID, IP and user agent
- Request IDs and defensive response headers
- Redis-backed rate limiting with local fallback
- Soft deletion and session revocation for deleted or disabled accounts
- Store signing and encryption secrets in a managed secrets service.
- Use long, independent, randomly generated secrets and rotate them safely.
- Disable
EXPOSE_DEBUG_TOKENSandDEBUG. - Require HTTPS at the ingress and use secure network policies.
- Configure a real SMTP or transactional-email provider.
- Restrict CORS origins and trusted hosts.
- Use PostgreSQL with encrypted backups and tested restore procedures.
- Centralize audit logs in append-only or tamper-evident storage.
- Add metrics, anomaly alerts and security incident runbooks.
- Perform SAST, dependency scanning, DAST and penetration testing.
Every login creates a token family. Refreshing revokes the current token and issues its replacement in the same family. Presenting an already-rotated token is treated as potential theft and revokes every active token in that family.
The TOTP seed is encrypted before database storage. The encryption key is derived from ENCRYPTION_SECRET. In a high-assurance deployment, replace this with envelope encryption through a KMS or HSM.
Do not disclose sensitive vulnerabilities publicly. Share a minimal reproduction privately with the system owner, including the affected route, impact and recommended remediation.