Diablo_Rain/LifeRPG_v2.0
1
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity
2b961611fd
LifeRPG_v2.0/modern/docs/SECURITY_IMPLEMENTATION_GUIDE.md
TLimoges33 2b961611fd
🚀 Major Enhancement: Complete AI-Powered LifeRPG Platform with Git LFS 
 New Features:
- AI-powered habit creation with natural language processing
- HuggingFace transformers integration for sentiment analysis (tracked via Git LFS)
- Advanced predictive analytics and behavioral insights
- Voice & image input capabilities for hands-free habit tracking
- Real-time notifications and community features
- Plugin system with extensible architecture

🔧 Technical Improvements:
- Comprehensive FastAPI backend with 30+ endpoints
- React frontend with PWA capabilities
- Advanced authentication with 2FA support
- RBAC authorization system
- Comprehensive security features (CSRF, rate limiting, audit logging)
- Database migrations and health monitoring
- Docker containerization support
- Git LFS configured for large AI model files (2+ GB)

📚 Documentation & DevOps:
- Complete deployment guides for multiple platforms
- Professional README with feature highlights
- GitHub Actions CI/CD workflows
- Comprehensive API documentation
- Security audit roadmap and compliance framework
- Setup scripts for development environment

🧪 Testing & Quality:
- Comprehensive test suite with 20+ test modules
- Setup verification scripts
- Working development environment with both backend and frontend
- Health checks and monitoring systems

🌟 Ready for:
- Portfolio showcasing
- Community contributions
- Production deployment
- Professional presentation
2025-09-28 21:29:19 +00:00

738 lines
17 KiB
Markdown
Raw Blame History

# Security Implementation Guide
## Overview
This comprehensive guide documents the security implementation for The Wizard's Grimoire application, providing detailed instructions for developers, system administrators, and security teams.
## Table of Contents
1. [Security Architecture](#security-architecture)
2. [Authentication & Authorization](#authentication--authorization)
3. [Data Protection](#data-protection)
4. [Input Validation](#input-validation)
5. [Rate Limiting](#rate-limiting)
6. [Security Headers](#security-headers)
7. [GDPR Compliance](#gdpr-compliance)
8. [Monitoring & Logging](#monitoring--logging)
9. [Development Guidelines](#development-guidelines)
10. [Deployment Security](#deployment-security)
## Security Architecture
### Multi-Layer Defense Strategy
The application implements defense in depth with multiple security layers:
```
User -> WAF -> Load Balancer -> API Gateway -> Application -> Database
| | | | | |
| | | | | |
v v v v v v
Auth DDoS TLS/mTLS Rate Limiting Input Val Encryption
Protection & API Security & Sanitization at Rest
```
### Core Security Components
#### 1. Authentication System (`modern/backend/auth.py`)
**Implementation**: JWT-based authentication with 2FA support
```python
# Key Features:
- JWT token generation and validation
- TOTP-based 2FA implementation
- Secure password hashing with bcrypt
- Token refresh mechanism
- Account lockout protection
```
**Configuration**:
```python
# Environment Variables
JWT_SECRET_KEY=<secure-random-key>
JWT_EXPIRY_HOURS=8
TOTP_ISSUER=WizardsGrimoire
ENABLE_2FA=true
```
#### 2. Authorization Middleware (`modern/backend/rbac.py`)
**Implementation**: Role-Based Access Control (RBAC)
```python
# Role Hierarchy:
USER < MODERATOR < ADMIN < SUPER_ADMIN
# Permission System:
- Resource-based permissions
- Action-based controls (read, write, delete)
- Hierarchical role inheritance
- Dynamic permission checking
```
#### 3. Input Validation (`modern/backend/schemas.py`)
**Implementation**: Pydantic-based validation with custom validators
```python
# Validation Rules:
- Email format validation
- Password complexity requirements
- SQL injection prevention
- XSS protection through sanitization
- File upload validation
```
## Authentication & Authorization
### JWT Implementation
#### Token Structure
```json
{
"header": {
"alg": "HS256",
"typ": "JWT"
},
"payload": {
"user_id": "uuid",
"email": "user@example.com",
"roles": ["user"],
"exp": 1693440000,
"iat": 1693440000,
"jti": "token-id"
}
}
```
#### Security Features
- **Secure Storage**: HTTPOnly cookies with secure flag
- **Token Rotation**: Automatic refresh on activity
- **Revocation**: Centralized token blacklist
- **Expiration**: Configurable token lifetimes
### Two-Factor Authentication (2FA)
#### Setup Process
1. User enables 2FA in account settings
2. Server generates TOTP secret
3. QR code displayed for authenticator app
4. User verifies with backup codes
5. 2FA enforced on subsequent logins
#### Implementation Details
```python
# TOTP Configuration
SECRET_LENGTH = 32
TOTP_WINDOW = 1 # ±30 seconds
BACKUP_CODES = 8 # Generated per user
```
### Role-Based Access Control
#### Role Definitions
```python
ROLES = {
"user": {
"permissions": ["read_own_data", "write_own_data"],
"level": 1
},
"moderator": {
"permissions": ["read_user_data", "moderate_content"],
"level": 2,
"inherits": ["user"]
},
"admin": {
"permissions": ["manage_users", "system_config"],
"level": 3,
"inherits": ["moderator"]
}
}
```
#### Permission Checking
```python
@require_permission("manage_users")
async def admin_endpoint(request: Request):
# Only accessible to users with manage_users permission
pass
```
## Data Protection
### Encryption at Rest
#### Database Encryption
- **Algorithm**: AES-256-GCM
- **Key Management**: Environment variables with rotation
- **Scope**: PII, passwords, sensitive user data
#### Implementation
```python
# Encrypted field example
class User(Base):
id = Column(UUID, primary_key=True)
email = Column(String) # Not encrypted (indexable)
phone = Column(EncryptedType(String)) # Encrypted
password_hash = Column(String) # Hashed, not encrypted
```
### Encryption in Transit
#### TLS Configuration
- **Version**: TLS 1.3 minimum
- **Cipher Suites**: AEAD ciphers only
- **Certificate**: Let's Encrypt with auto-renewal
#### API Security
```python
# All API endpoints require HTTPS
FORCE_HTTPS = True
HSTS_ENABLE = True
HSTS_MAX_AGE = 31536000 # 1 year
```
### Data Classification
#### Classification Levels
1. **Public**: Can be freely shared
2. **Internal**: Company internal use
3. **Confidential**: Access on need-to-know basis
4. **Restricted**: Highest protection level
#### Handling Guidelines
```python
# Data classification in code
@classify_data("confidential")
class UserProfile:
# Automatically applies appropriate protection
pass
```
## Input Validation
### Validation Framework
#### Pydantic Schemas
```python
class UserCreateSchema(BaseModel):
email: EmailStr
password: SecurePassword
name: str = Field(..., min_length=1, max_length=100)
@validator('password')
def validate_password(cls, v):
return validate_password_strength(v)
```
#### Custom Validators
```python
def validate_password_strength(password: str) -> str:
"""
Password Requirements:
- Minimum 12 characters
- At least 1 uppercase letter
- At least 1 lowercase letter
- At least 1 number
- At least 1 special character
- No common passwords
"""
# Implementation details...
```
### SQL Injection Prevention
#### Parameterized Queries
```python
# Safe - parameterized query
query = "SELECT * FROM users WHERE email = %s"
result = cursor.execute(query, (user_email,))
# Unsafe - string concatenation (never do this)
query = f"SELECT * FROM users WHERE email = '{user_email}'"
```
#### ORM Usage
```python
# SQLAlchemy automatically prevents SQL injection
user = session.query(User).filter(User.email == email).first()
```
### XSS Prevention
#### Content Security Policy
```http
Content-Security-Policy: default-src 'self';
script-src 'self' 'unsafe-inline';
style-src 'self' 'unsafe-inline';
img-src 'self' data: https:;
```
#### Output Encoding
```python
from html import escape
def sanitize_output(content: str) -> str:
"""Escape HTML entities to prevent XSS"""
return escape(content)
```
## Rate Limiting
### Implementation Strategy
#### Sliding Window Algorithm
```python
# Rate limit configuration
RATE_LIMITS = {
"auth": "5/minute", # Authentication endpoints
"api": "100/minute", # General API endpoints
"upload": "10/hour", # File upload endpoints
"export": "3/hour" # Data export endpoints
}
```
#### Redis-Based Tracking
```python
class RateLimitMiddleware:
def __init__(self):
self.redis = Redis.from_url(os.getenv('REDIS_URL'))
async def check_rate_limit(self, key: str, limit: int, window: int):
# Sliding window implementation
pass
```
### Advanced Features
#### IP-Based Blocking
```python
# Automatic IP blocking after excessive violations
BLOCK_THRESHOLDS = {
"failed_auth": 10, # Block after 10 failed auth attempts
"rate_limit": 5, # Block after 5 rate limit violations
"suspicious": 3 # Block after 3 suspicious activities
}
```
#### Whitelist Management
```python
# Whitelist trusted IPs (admin access, monitoring)
RATE_LIMIT_WHITELIST = [
"192.168.1.0/24", # Internal network
"10.0.0.0/8", # Corporate VPN
]
```
## Security Headers
### Comprehensive Header Implementation
#### Security Headers Middleware
```python
SECURITY_HEADERS = {
"Content-Security-Policy": "default-src 'self'",
"X-Content-Type-Options": "nosniff",
"X-Frame-Options": "DENY",
"X-XSS-Protection": "1; mode=block",
"Strict-Transport-Security": "max-age=31536000; includeSubDomains",
"Referrer-Policy": "strict-origin-when-cross-origin"
}
```
#### Content Security Policy (CSP)
```python
def build_csp_header():
"""Build CSP header based on environment"""
if is_development():
# More permissive for development
return "default-src 'self' 'unsafe-inline' 'unsafe-eval'"
else:
# Strict for production
return "default-src 'self'; script-src 'self'"
```
## GDPR Compliance
### Data Subject Rights Implementation
#### Right of Access
```python
@app.post("/api/gdpr/export")
async def export_user_data(user_id: str):
"""Export all user data in portable format"""
data = await gdpr_service.export_user_data(user_id)
return {"data": data, "format": "json"}
```
#### Right to Be Forgotten
```python
@app.delete("/api/gdpr/delete")
async def delete_user_account(user_id: str, verification_code: str):
"""Permanently delete user account and data"""
if await verify_deletion_code(user_id, verification_code):
await gdpr_service.delete_user_data(user_id)
return {"status": "deleted"}
```
#### Data Retention Policies
```python
RETENTION_POLICIES = {
"user_accounts": timedelta(days=7*365), # 7 years
"user_habits": timedelta(days=3*365), # 3 years
"analytics_data": timedelta(days=2*365), # 2 years
"security_logs": timedelta(days=1*365), # 1 year
"audit_logs": timedelta(days=7*365) # 7 years
}
```
### Privacy by Design
#### Data Minimization
```python
class UserRegistration:
# Only collect necessary data
email: str # Required for authentication
password: str # Required for security
name: str # Required for personalization
# phone: Optional # Only collect if needed
```
#### Purpose Limitation
```python
@track_data_usage("analytics")
def collect_usage_metrics(user_id: str, action: str):
"""Track usage only for specified analytics purpose"""
pass
```
## Monitoring & Logging
### Security Event Logging
#### Structured Logging
```python
import structlog
security_logger = structlog.get_logger("security")
def log_auth_attempt(user_id: str, success: bool, ip: str):
security_logger.info(
"authentication_attempt",
user_id=user_id,
success=success,
source_ip=ip,
timestamp=datetime.utcnow().isoformat()
)
```
#### Log Categories
```python
LOG_CATEGORIES = {
"authentication": ["login", "logout", "2fa", "password_reset"],
"authorization": ["permission_denied", "role_change"],
"data_access": ["read", "write", "delete", "export"],
"security_events": ["suspicious_activity", "rate_limit", "blocked_ip"]
}
```
### Real-Time Monitoring
#### Security Metrics
```python
MONITORED_METRICS = {
"failed_auth_rate": "Failed authentication attempts per minute",
"suspicious_ip_count": "Number of IPs with suspicious activity",
"rate_limit_violations": "Rate limit violations per hour",
"data_export_requests": "GDPR data export requests per day"
}
```
#### Alert Thresholds
```python
ALERT_THRESHOLDS = {
"failed_auth_rate": 10, # Alert if >10 failures/minute
"suspicious_activity": 5, # Alert if >5 suspicious events
"data_breach_indicators": 1 # Alert immediately
}
```
## Development Guidelines
### Secure Coding Practices
#### Code Review Checklist
- [ ] Input validation on all user inputs
- [ ] Parameterized queries for database access
- [ ] Proper error handling without information disclosure
- [ ] Authentication and authorization checks
- [ ] Secure data storage (encryption for sensitive data)
- [ ] Security headers implementation
- [ ] GDPR compliance for data processing
#### Testing Requirements
```python
# Security test example
def test_sql_injection_protection():
malicious_input = "'; DROP TABLE users; --"
response = client.post("/api/search", json={"query": malicious_input})
assert response.status_code == 400 # Should be rejected
```
### Environment Management
#### Development vs Production
```python
# Development settings
if ENVIRONMENT == "development":
DEBUG = True
CORS_ALLOW_ALL = True
RATE_LIMIT_DISABLED = True
# Production settings
elif ENVIRONMENT == "production":
DEBUG = False
CORS_ALLOW_ALL = False
FORCE_HTTPS = True
HSTS_ENABLE = True
```
#### Secret Management
```bash
# Use environment variables for secrets
export JWT_SECRET_KEY=$(openssl rand -base64 32)
export DATABASE_PASSWORD=$(vault kv get -field=password secret/db)
export ENCRYPTION_KEY=$(vault kv get -field=key secret/encryption)
```
## Deployment Security
### Container Security
#### Dockerfile Best Practices
```dockerfile
# Use specific version tags
FROM python:3.11-slim
# Create non-root user
RUN adduser --system --group appuser
# Install security updates
RUN apt-get update && apt-get upgrade -y
# Set secure permissions
COPY --chown=appuser:appuser . /app
USER appuser
# Health check
HEALTHCHECK --interval=30s --timeout=3s --start-period=5s \
CMD curl -f http://localhost:8000/health || exit 1
```
#### Docker Compose Security
```yaml
version: "3.8"
services:
app:
build: .
user: "1000:1000"
read_only: true
security_opt:
- no-new-privileges:true
cap_drop:
- ALL
networks:
- app-network
networks:
app-network:
driver: bridge
internal: true
```
### Infrastructure Security
#### Network Segmentation
```yaml
# docker-compose.yml network configuration
networks:
frontend:
driver: bridge
backend:
driver: bridge
internal: true # No external access
database:
driver: bridge
internal: true # Database isolated
```
#### TLS Configuration
```nginx
# Nginx TLS configuration
ssl_protocols TLSv1.3;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256;
ssl_prefer_server_ciphers off;
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:50m;
ssl_stapling on;
ssl_stapling_verify on;
```
## Security Maintenance
### Regular Security Tasks
#### Weekly Tasks
- [ ] Review security logs for anomalies
- [ ] Check for new security advisories
- [ ] Validate backup integrity
- [ ] Update threat intelligence feeds
#### Monthly Tasks
- [ ] Security dependency updates
- [ ] Access review and cleanup
- [ ] Vulnerability scanning
- [ ] Incident response plan review
#### Quarterly Tasks
- [ ] Penetration testing
- [ ] Security awareness training
- [ ] Compliance audit
- [ ] Disaster recovery testing
### Incident Response
#### Immediate Response (0-15 minutes)
1. Identify and classify the incident
2. Activate incident response team
3. Contain the threat
4. Preserve evidence
#### Short-term Response (15 minutes - 2 hours)
1. Investigate root cause
2. Eradicate the threat
3. Begin recovery procedures
4. Notify stakeholders
#### Long-term Response (2+ hours)
1. Complete system recovery
2. Conduct post-incident review
3. Update security measures
4. Document lessons learned
## Compliance Frameworks
### GDPR Compliance Checklist
- [ ] Privacy policy published and accessible
- [ ] Consent mechanisms implemented
- [ ] Data subject rights functionality
- [ ] Data protection impact assessments
- [ ] Data breach notification procedures
- [ ] Privacy by design principles
### Security Standards Alignment
- [ ] OWASP Top 10 protection
- [ ] NIST Cybersecurity Framework
- [ ] ISO 27001 controls implementation
- [ ] SOC 2 Type II readiness
## Troubleshooting
### Common Security Issues
#### Authentication Problems
```python
# Debug authentication issues
def debug_auth_failure(token: str):
try:
payload = jwt.decode(token, SECRET_KEY, algorithms=["HS256"])
return {"status": "valid", "payload": payload}
except jwt.ExpiredSignatureError:
return {"status": "expired"}
except jwt.InvalidTokenError:
return {"status": "invalid"}
```
#### Rate Limiting Issues
```python
# Check rate limit status
def check_rate_limit_status(ip: str):
key = f"rate_limit:{ip}"
current = redis.get(key)
ttl = redis.ttl(key)
return {"current": current, "ttl": ttl}
```
#### GDPR Compliance Issues
```python
# Verify GDPR compliance status
def check_gdpr_compliance(user_id: str):
user = get_user(user_id)
return {
"data_retention_compliant": check_retention_policy(user),
"consent_status": check_consent_status(user),
"data_processing_legal": check_legal_basis(user)
}
```
---
**Document Version**: 1.0
**Last Updated**: August 30, 2025
**Next Review**: November 30, 2025
**Maintained By**: Security Team
Reference in New Issue View Git Blame Copy Permalink