1.1 KiB
1.1 KiB
Security Policy
Overview
This project implements a layered security model with:
- Secure password hashing (bcrypt)
- Hashed verification and reset tokens (SHA-256)
- Role-based authorization
- Audit logging
- Environment-based email handling
- Configurable CORS
Authentication
Passwords are hashed using bcrypt before storage.
Email verification is required before login.
Reset and verification tokens:
- Random 32+ bytes
- SHA-256 hashed before database storage
- Expiration enforced
- One-time use
Authorization
Access control enforced via middleware:
- RequireAuth
- RequireAdmin
No authorization logic is implemented in templates.
Session Security
- HttpOnly cookies
- SameSite=Lax
- Secure flag enabled in production
- Session key configured via environment variable
Email Security
Develop mode:
- Emails are written to filesystem
- No external transmission
Production mode:
- SMTP authenticated delivery
Audit Logging
The system logs:
- Signup
- Login
- Email verification
- Password reset
- Admin actions
Logs contain:
- UserID
- Action
- Entity
- EntityID
- IP
- UserAgent
- Timestamp