backend-server-v2/security.md

Security Policy

Overview

This project implements a layered security model with:

• Secure password hashing (bcrypt)
• Hashed verification and reset tokens (SHA-256)
• Role-based authorization
• Audit logging
• Environment-based email handling
• Configurable CORS

---

Authentication

Passwords are hashed using bcrypt before storage.

Email verification is required before login.

Reset and verification tokens:

• Random 32+ bytes
• SHA-256 hashed before database storage
• Expiration enforced
• One-time use

---

Authorization

Access control enforced via middleware:

• RequireAuth
• RequireAdmin

No authorization logic is implemented in templates.

---

Session Security

• HttpOnly cookies
• SameSite=Lax
• Secure flag enabled in production
• Session key configured via environment variable

---

Email Security

Develop mode:

• Emails are written to filesystem
• No external transmission

Production mode:

• SMTP authenticated delivery

---

Audit Logging

The system logs:

• Signup
• Login
• Email verification
• Password reset
• Admin actions

Logs contain:

• UserID
• Action
• Entity
• EntityID
• IP
• UserAgent
• Timestamp