Diablo_Rain/LifeRPG_v2.0
1
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity
7fe4ae5365
LifeRPG_v2.0/docs/SECURITY.md
TLimoges33 7fe4ae5365
🧙‍♂️ Transform LifeRPG into The Wizard's Grimoire - Production-Ready Application 
 Major Features Added:
- Complete magical theming and rebranding from LifeRPG to The Wizard's Grimoire
- Production-grade React frontend with Tailwind CSS v4 and magical aesthetics
- Comprehensive analytics dashboard with Recharts integration (ScryingPortal)
- Push notifications system with PWA service worker support
- Drag & drop functionality using @dnd-kit for habit reordering
- Social features with friends system and leaderboards
- Performance optimization tools and monitoring
- Mobile app enhancement with PWA installation support

🏗️ Technical Infrastructure:
- Advanced service worker with offline support and background sync
- Zustand state management for scalable application state
- Production-ready UI component system with enhanced Button, Card, Input
- Progressive Web App (PWA) with manifest and app installation
- FastAPI backend with comprehensive API endpoints
- Docker containerization and CI/CD pipeline setup

📱 Progressive Web App Features:
- Offline functionality with intelligent caching
- Push notification support for habit reminders
- App installation on mobile and desktop platforms
- Background sync for offline data management
- Performance monitoring and optimization tools

🎨 User Experience:
- Magical wizard/grimoire theming throughout application
- Responsive design optimized for all device sizes
- Drag & drop habit management with smooth animations
- Interactive analytics with multiple chart types
- Social connectivity with friends and competitive features
- Comprehensive notification and performance settings

🔧 Developer Experience:
- Modern development stack with Vite and React
- Comprehensive testing setup and CI/CD pipelines
- Code quality tools with pre-commit hooks
- Docker development environment
- Detailed documentation and implementation guides

This represents a complete transformation from prototype to production-ready application with enterprise-grade features and magical user experience.
2025-08-30 17:32:42 +00:00

14 KiB
Raw Blame History

LifeRPG Security Guide

This document outlines the security measures implemented in LifeRPG, vulnerability reporting procedures, and best practices for secure deployment.

Table of Contents

  1. Security Model
  2. Authentication & Authorization
  3. Data Protection
  4. API Security
  5. Dependency Security
  6. Plugin Security
  7. Vulnerability Reporting
  8. Security Testing
  9. Deployment Security
  10. Compliance & Privacy

Security Model

LifeRPG implements a defense-in-depth security model with multiple layers of protection:

Security Principles

  • Zero Trust: All requests are authenticated and authorized regardless of source
  • Principle of Least Privilege: Components only have access to what they need
  • Defense in Depth: Multiple security controls at different layers
  • Secure by Default: Security features enabled by default
  • Privacy by Design: Data minimization and protection built-in

Threat Model

Key threats addressed:

  1. Unauthorized Access: Prevented through robust authentication and authorization
  2. Data Exposure: Mitigated through encryption and access controls
  3. Injection Attacks: Prevented through input validation and parameterized queries
  4. Cross-Site Scripting (XSS): Mitigated through content security policy and output encoding
  5. Cross-Site Request Forgery (CSRF): Prevented through anti-CSRF tokens
  6. Denial of Service: Mitigated through rate limiting and resource controls
  7. Supply Chain Attacks: Addressed through dependency scanning and SBOM
  8. Plugin Vulnerabilities: Contained through sandboxing and permission controls

Authentication & Authorization

Authentication Methods

LifeRPG supports multiple secure authentication methods:

  1. OAuth2/OIDC: Integration with identity providers using PKCE

    • Google, GitHub, Microsoft, etc.
    • Authorization code flow with PKCE for SPAs and mobile
    • Optional audience and issuer validation
    • RP-initiated logout support

  2. Two-Factor Authentication (2FA)

    • TOTP (Time-based One-Time Password)
    • Recovery codes for backup access
    • Session management with primary/alt sessions

  3. API Tokens

    • Fine-grained permissions
    • Expiring tokens with rotation
    • Token revocation support

Token Security

  • JWT Security: Short-lived tokens with proper signing
  • Secure Storage: Tokens stored securely (HTTPOnly, Secure cookies)
  • Token Validation: Thorough validation of token claims
  • Refresh Token Rotation: One-time use refresh tokens

Authorization

  • Role-Based Access Control (RBAC): User roles with specific permissions
  • Attribute-Based Access Control (ABAC): Fine-grained permissions based on attributes
  • Resource Ownership: Users can only access their own data
  • Permission Checks: Consistent permission validation throughout the application

Code example:

# API endpoint with permission check
@router.get("/habits/{habit_id}", response_model=HabitRead)
async def get_habit(
    habit_id: int,
    current_user: User = Depends(get_current_user),
    db: AsyncSession = Depends(get_db),
):
    habit = await habit_service.get_habit(db, habit_id)
    if not habit:
        raise HTTPException(status_code=404, detail="Habit not found")
    
    # Permission check
    if habit.user_id != current_user.id and not current_user.has_role("admin"):
        raise HTTPException(status_code=403, detail="Not authorized")
    
    return habit

Data Protection

Data at Rest

  • Database Encryption: Sensitive fields encrypted in database
  • Secure Storage: Secure storage options for sensitive user data
  • Encryption Keys: Proper key management and rotation

Data in Transit

  • TLS/HTTPS: All communications encrypted with TLS 1.2+
  • HSTS: HTTP Strict Transport Security enabled
  • Certificate Management: Proper certificate validation and pinning

Data Classification

Data is classified into sensitivity levels with appropriate controls:

  1. Public Data: Non-sensitive, publicly accessible information
  2. User Data: Personal data requiring authentication
  3. Sensitive Data: Requiring additional protection (e.g., OAuth tokens)
  4. System Data: Configuration and security settings

Data Minimization

  • Purpose Limitation: Data collected only for specific purposes
  • Storage Limitation: Data retained only as long as necessary
  • Data Anonymization: Personal data anonymized where possible

API Security

Input Validation

  • Schema Validation: All inputs validated against Pydantic schemas
  • Type Checking: Strong typing throughout the application
  • Sanitization: Input sanitization for special contexts (e.g., HTML)
# Input validation with Pydantic
class HabitCreate(BaseModel):
    title: str = Field(..., min_length=1, max_length=100)
    description: Optional[str] = Field(None, max_length=1000)
    frequency: str = Field(..., pattern="^(daily|weekly|monthly|custom)$")
    xp_reward: int = Field(..., ge=1, le=100)
    
    @validator('title')
    def title_must_not_contain_html(cls, v):
        if re.search(r'<[^>]*>', v):
            raise ValueError('Title must not contain HTML tags')
        return v

Request Limiting

  • Rate Limiting: Per-user and per-IP rate limits
  • Concurrent Request Limiting: Prevent resource exhaustion
  • Request Size Limiting: Maximum body size enforced
# Rate limiting middleware
app.add_middleware(
    RateLimitMiddleware,
    rate=30,  # requests
    period=60,  # seconds
    storage=redis_storage,
    exclude_endpoints=["/health", "/metrics"],
)

Security Headers

  • Content-Security-Policy (CSP): Restricts sources of executable scripts
  • X-Content-Type-Options: Prevents MIME type sniffing
  • X-Frame-Options: Prevents clickjacking
  • Referrer-Policy: Controls referrer information
  • Permissions-Policy: Restricts browser features
# Security headers middleware
app.add_middleware(
    SecurityHeadersMiddleware,
    csp="default-src 'self'; script-src 'self'; connect-src 'self';",
    hsts=True,
    frame_options="DENY",
    content_type_options=True,
    referrer_policy="same-origin",
    permissions_policy="camera=(), microphone=(), geolocation=()",
)

CSRF Protection

  • Double Submit Cookie: CSRF token validation
  • Same-Site Cookies: Cookies with SameSite=Lax/Strict
  • Origin Checking: Validate Origin/Referer headers

Dependency Security

Software Bill of Materials (SBOM)

LifeRPG maintains a comprehensive SBOM that:

  • Lists all direct and transitive dependencies
  • Includes version information and licenses
  • Is updated with each release
  • Is available in both CycloneDX and SPDX formats

Dependency Scanning

  • Automated Scanning: Dependencies scanned for vulnerabilities
  • Regular Updates: Dependencies kept up-to-date
  • Version Pinning: Explicit version pinning for all dependencies
  • License Compliance: Dependency licenses tracked and reviewed

Tools used:

  • GitHub Dependabot
  • OWASP Dependency Check
  • Snyk

Supply Chain Security

  • Verified Sources: Dependencies from verified sources
  • Integrity Verification: Package hashes verified
  • Reproducible Builds: Deterministic build process
  • Secure CI/CD: Pipeline security with proper secret management

Plugin Security

Sandbox Containment

Plugins run in a WebAssembly sandbox with:

  • Memory Isolation: Protected memory space
  • CPU Limits: Execution time and resource limits
  • I/O Restrictions: Limited access to system resources
  • Network Controls: Restricted network access

Permission System

Plugins operate under a strict permission model:

  • Explicit Permissions: Must request specific permissions
  • User Approval: Permissions displayed and approved by users
  • Runtime Enforcement: Permissions enforced during execution
  • Revocation: Permissions can be revoked at any time

Plugin Vetting

  • Automated Analysis: Static and dynamic analysis of plugins
  • Code Review: Optional review process for marketplace plugins
  • Reputation System: User ratings and reviews
  • Revocation Mechanism: Ability to disable malicious plugins

Vulnerability Reporting

Responsible Disclosure

We encourage responsible disclosure of security vulnerabilities:

  1. Reporting Channel: Email security@liferpg.example.com or use our HackerOne page
  2. Encryption: Use our PGP key for sensitive reports
  3. Response Timeline: Initial response within 48 hours
  4. Disclosure Policy: Coordinated disclosure after fixes
  5. Recognition: Hall of Fame for security researchers

Bug Bounty Program

LifeRPG offers a bug bounty program with:

  • Scope: Defined in-scope and out-of-scope targets
  • Rewards: Based on severity and impact
  • Rules of Engagement: Clear testing guidelines
  • Safe Harbor: Protection for good-faith security research

Security Testing

Automated Testing

  • SAST (Static Application Security Testing): Analyzes code for security issues
    • Tools: Bandit, ESLint security plugins, CodeQL
  • DAST (Dynamic Application Security Testing): Tests running application
    • Tools: OWASP ZAP, Burp Suite
  • Dependency Scanning: Checks dependencies for vulnerabilities
    • Tools: Dependabot, Snyk, OWASP Dependency Check
  • Container Scanning: Analyzes container images
    • Tools: Trivy, Clair

Manual Testing

  • Penetration Testing: Regular penetration tests
  • Code Reviews: Security-focused code reviews
  • Threat Modeling: Systematic analysis of threats
  • Red Team Exercises: Simulated attacks to test defenses

CI/CD Integration

Security testing is integrated into CI/CD pipeline:

# Example GitHub Actions workflow
name: Security Checks

on:
  push:
    branches: [ main, develop ]
  pull_request:
    branches: [ main, develop ]

jobs:
  security:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v3
      
      - name: Run SAST scan
        uses: github/codeql-action/analyze@v2
        
      - name: Run dependency scan
        uses: snyk/actions/python@master
        
      - name: Run container scan
        uses: aquasecurity/trivy-action@master
        with:
          image-ref: 'liferpg/api:latest'
          
      - name: Run DAST scan
        uses: zaproxy/action-full-scan@v0.3.0
        with:
          target: 'http://localhost:8080'

Deployment Security

Secure Configuration

  • Environment Variables: Sensitive configuration in environment variables
  • Secrets Management: Secrets stored in vault systems
  • Configuration Validation: Validation of security settings
  • Default Security: Secure defaults with explicit opt-out

Infrastructure Security

  • Container Security: Minimal base images, non-root users
  • Network Security: Network segmentation and firewalls
  • Cloud Security: Follow cloud provider security best practices
  • Access Controls: Least privilege for infrastructure access

Monitoring & Logging

  • Security Monitoring: Detection of unusual patterns
  • Centralized Logging: Security-relevant events logged
  • Audit Trail: Actions tracked for accountability
  • Alerting: Automatic alerts for security events

Incident Response

  • Response Plan: Documented incident response procedure
  • Roles & Responsibilities: Clear ownership during incidents
  • Communication Plan: Internal and external communication
  • Post-Incident Analysis: Learning from security incidents

Compliance & Privacy

Data Protection

  • GDPR Compliance: European data protection regulations
  • CCPA Compliance: California Consumer Privacy Act
  • Data Subject Rights: Access, rectification, erasure
  • Data Processing Records: Documentation of data processing

Privacy Features

  • Privacy Policy: Clear and comprehensive policy
  • Data Export: User data export functionality
  • Data Deletion: Complete account deletion option
  • Cookie Controls: Minimal and controllable cookie usage

Audit & Compliance

  • Security Audits: Regular security assessments
  • Compliance Checks: Verification of regulatory compliance
  • Documentation: Comprehensive security documentation
  • Training: Security awareness training for contributors

Security Checklist

Use this checklist to verify LifeRPG's security implementation:

Authentication & Authorization

  • OAuth2/OIDC properly implemented with PKCE
  • 2FA with TOTP available
  • JWT tokens properly signed and validated
  • Role-based access control implemented
  • Resource ownership checks in place

Data Protection

  • Sensitive data encrypted in database
  • TLS 1.2+ enforced for all connections
  • HTTPS-only cookies
  • Clear data retention policies

API Security

  • Input validation on all endpoints
  • Rate limiting implemented
  • Security headers configured
  • CSRF protection in place
  • Request size limits enforced

Dependency Security

  • SBOM generated and maintained
  • Dependency scanning in CI/CD
  • Regular dependency updates
  • License compliance verified

Plugin Security

  • WASM sandbox implemented
  • Plugin permissions system working
  • Resource limits enforced
  • Plugin vetting process documented

Deployment

  • Secure configuration guide available
  • Container security measures implemented
  • Monitoring and logging in place
  • Incident response plan documented

Compliance

  • Privacy policy up-to-date
  • Data subject rights implemented
  • Compliance documentation available
  • Security training materials created