marcel/familienarchiv
1
0
Fork 0
Code Issues 114 Pull Requests 3 Actions Packages Projects Releases Wiki Activity
Files
main
familienarchiv/docs/architecture/c4/l3-backend-3a-security.puml
Marcel 9b21d6aee8
Some checks failed
CI / Unit & Component Tests (pull_request) Successful in 3m1s
Details
CI / OCR Service Tests (pull_request) Successful in 19s
Details
CI / Backend Unit Tests (pull_request) Successful in 2m57s
Details
CI / fail2ban Regex (pull_request) Successful in 42s
Details
CI / Semgrep Security Scan (pull_request) Successful in 19s
Details
CI / Compose Bucket Idempotency (pull_request) Successful in 1m3s
Details
CI / Unit & Component Tests (push) Successful in 3m3s
Details
CI / OCR Service Tests (push) Successful in 17s
Details
CI / Backend Unit Tests (push) Successful in 2m58s
Details
CI / fail2ban Regex (push) Successful in 42s
Details
CI / Semgrep Security Scan (push) Successful in 19s
Details
CI / Compose Bucket Idempotency (push) Successful in 58s
Details
nightly / deploy-staging (push) Failing after 3m35s
Details
docs(c4): l3-security includes auth package and Spring Session JDBC 
Replace the stale Basic-Auth picture with the post-#523 model:
AuthSessionController + AuthService (the new auth/ package), Spring Session
JDBC (spring_session*, 8h idle timeout, fa_session cookie), and the
ChangeSessionIdAuthenticationStrategy bean used by login to defend against
session fixation. Addresses PR #612 / Markus M3.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-05-17 22:54:55 +02:00

2.9 KiB
Raw Permalink Blame History

Component Diagram: API Backend — Security & AuthenticationComponent Diagram: API Backend — Security & AuthenticationAPI Backend (Spring Boot)[system]«component»AuthSessionController[@RestControllerorg.raddatz.familienarchiv.auth] POST /api/auth/loginvalidates credentials,rotates the session ID viaSessionAuthenticationStrategy(CWE-384 defense),attaches theSecurityContext to the newsession. POST/api/auth/logout invalidatesthe session unconditionally,then best-effort audits.«component»AuthService[@Serviceorg.raddatz.familienarchiv.auth] Delegates credentialvalidation toAuthenticationManager(DaoAuthenticationProvider— timing-equalised viadummy BCrypt on misses).Emits LOGIN_SUCCESS /LOGIN_FAILED / LOGOUTaudit entries without everlogging the passwordattempt.«component»Security Filter Chain[Spring Security] Permits /api/auth/login,/api/auth/forgot-password,/api/auth/reset-password,/api/auth/invite/**,/api/auth/register;everything else requires anauthenticated session.Returns 401 (not 302) onmissing/expired session.CSRF is disabled pending#524.«component»Spring Session JDBC[spring-boot-starter-session-jdbc] Persists sessions inspring_session /spring_session_attributes(Flyway V67). 8-hour idletimeout. Cookie namefa_session,SameSite=Strict, HttpOnly,Secure behind Caddy.Indexes the session byPrincipal name forrevocation in #524.«component»PermissionAspect[Spring AOP] Intercepts methodsannotated with@RequirePermission.Checks the authenticateduser's granted authoritiesagainst the requiredpermission. Throws 401/403if denied.«component»SecurityConfig[Spring @Configuration] Wires the filter chain,BCryptPasswordEncoder,DaoAuthenticationProvider,AuthenticationManager, andtheChangeSessionIdAuthenticationStrategybean used byAuthSessionController.«component»CustomUserDetailsService[Spring SecurityUserDetailsService] Loads AppUser by emailfrom DB. Converts grouppermissions to SpringGrantedAuthority objects.«container»Web Frontend[SvelteKit]«container»PostgreSQL[PostgreSQL 16]POST /api/auth/login+ /logout[HTTPS, JSON]All other API calls[HTTPS + fa_sessioncookie]Validate creds +auditgetSession() /invalidate()Authenticates viaAuthenticationManagerResolves session byfa_session cookieAuthenticatedrequests reachguarded servicemethodsWires asUserDetailsServiceLoads user by email[JDBC]spring_session,spring_session_attributes[JDBC]
Reference in New Issue View Git Blame Copy Permalink