Skip to content

Security: ShivamMathtech/Enterprise-Authentication-Service

Security

SECURITY.md

Security Guide

Implemented controls

  • Argon2id password hashing
  • Password-complexity and minimum-length validation
  • Generic password-recovery and verification responses
  • Temporary lockout after repeated failed logins
  • JWT issuer, expiry, type and required-claim validation
  • Short access-token lifetime
  • Rotating refresh tokens stored as JTI hashes
  • Refresh-token family revocation after reuse detection
  • Per-session and global session revocation
  • Encrypted TOTP secrets using Fernet with a derived encryption key
  • Hashed single-use backup codes
  • API keys returned once and stored only as SHA-256 hashes
  • API-key scope intersection with the owning user's permissions
  • Hashed one-time verification, reset, invitation and email-change tokens
  • Role and permission checks on privileged routes
  • Organization role enforcement for tenant operations
  • Audit records containing actor, action, outcome, request ID, IP and user agent
  • Request IDs and defensive response headers
  • Redis-backed rate limiting with local fallback
  • Soft deletion and session revocation for deleted or disabled accounts

Required production changes

  1. Store signing and encryption secrets in a managed secrets service.
  2. Use long, independent, randomly generated secrets and rotate them safely.
  3. Disable EXPOSE_DEBUG_TOKENS and DEBUG.
  4. Require HTTPS at the ingress and use secure network policies.
  5. Configure a real SMTP or transactional-email provider.
  6. Restrict CORS origins and trusted hosts.
  7. Use PostgreSQL with encrypted backups and tested restore procedures.
  8. Centralize audit logs in append-only or tamper-evident storage.
  9. Add metrics, anomaly alerts and security incident runbooks.
  10. Perform SAST, dependency scanning, DAST and penetration testing.

Refresh-token reuse detection

Every login creates a token family. Refreshing revokes the current token and issues its replacement in the same family. Presenting an already-rotated token is treated as potential theft and revokes every active token in that family.

MFA storage

The TOTP seed is encrypted before database storage. The encryption key is derived from ENCRYPTION_SECRET. In a high-assurance deployment, replace this with envelope encryption through a KMS or HSM.

Reporting vulnerabilities

Do not disclose sensitive vulnerabilities publicly. Share a minimal reproduction privately with the system owner, including the affected route, impact and recommended remediation.

There aren't any published security advisories