← Back to Docs
Authentication & Sessions
JWT Token Management
| Property | Value |
|---|
| Algorithm | HS256 (HMAC-SHA256) |
| Idle timeout | 15 minutes (configurable) |
| Absolute session limit | 8 hours (configurable) |
| Token claims | sub, role, jti, iat, exp, session_start |
| Refresh | POST /auth/refresh extends idle timeout, preserves session start |
Password Security
- Hashing: bcrypt with 12 salt rounds (truncated to 72 bytes per bcrypt spec)
- Complexity: Minimum 8 characters, requires uppercase, lowercase, digit, and special character
- Account lockout: 5 failed attempts triggers 15-minute lockout (database-persisted)
- Password reset: 256-bit token, SHA-256 hashed for storage, 60-minute expiry, single use
SSO
OIDC/OAuth 2.0 support for Azure AD, Google Workspace, Okta, and other providers. Auto-provisioning of new users on first SSO login (configurable).
Token Revocation
| Event | Revocation Scope |
|---|
| User logout | Single token (JTI) |
| Password change | All user tokens (session-level) |
| Admin force-logout | All user tokens (session-level) |
| Account deactivation | All user tokens (session-level) |
Authorization (RBAC)
| Role | Permissions |
|---|
admin | Full access: user management, collections, configuration, builds, audit, deploy |
user | Access assigned collections, view documentation, use chat |
viewer | Read-only access to assigned collections |
qa | Read-only collection access, build triggers, project management access |
Users are assigned to specific collections via user_collections table. Every API request validates collection access. Unauthorized access returns 404 (not 403) to prevent enumeration. Rate limiting protects auth endpoints: 10/min login, 5/min signup, 5/min password reset.
Encryption
| Layer | Implementation |
|---|
| In transit | TLS 1.2+ via Caddy (automatic Let's Encrypt). HSTS with 2-year max-age, includeSubDomains, preload. |
| At rest | SQL Server TDE (AES-256). Docker secrets stored as files, not env vars. |
| Passwords | bcrypt with per-user salt (12 rounds) |
| Audit integrity | SHA-256 hash chain linking each event to its predecessor |
Audit Logging & SIEM
All security-relevant events are written to an immutable security_event_log table. A database trigger blocks all UPDATE and DELETE operations. Each event is SHA-256 hash-chained to the previous for tamper detection.
Event Categories
| Category | Examples |
|---|
auth | Login success/failure, lockout, logout, password change/reset |
authz | Access denied, unauthorized collection access |
data | Program view, source download, export |
admin | User CRUD, config changes, collection management |
system | Startup, deploy, errors, security events |
Each event captures: UUID, UTC timestamp, severity, actor, IP, user agent, target, outcome, JSON context, session/correlation IDs, and integrity hash.
SIEM Integration
| Property | Options |
|---|
| Protocols | TCP+TLS (syslog), TCP, UDP, HTTPS (Splunk HEC, Datadog) |
| Formats | CEF (Common Event Format), JSON |
| Forwarding | Real-time with forwarded_at timestamp tracking |
| Retention | Events purged only after confirmed SIEM forwarding |
Applied by Caddy on all responses:
| Header | Value |
|---|
Strict-Transport-Security | max-age=63072000; includeSubDomains; preload |
Content-Security-Policy | default-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com |
X-Frame-Options | SAMEORIGIN |
X-Content-Type-Options | nosniff |
Referrer-Policy | strict-origin-when-cross-origin |
Permissions-Policy | geolocation=(), microphone=(), camera=() |
ISO 27001:2022 — Annex A Controls
A.5 — Organizational Controls
| Control | Requirement | Implementation |
|---|
| A.5.15 | Access control | RBAC (admin/user/viewer/QA), collection-based isolation, least privilege at DB and API levels |
| A.5.23 | Cloud services | On-premise by default. LLM provider configurable (cloud or local via Ollama) |
A.8 — Technological Controls
| Control | Requirement | Implementation |
|---|
| A.8.2 | Privileged access | Admin role restricted. DB app user has minimal permissions. Container runs as non-root. |
| A.8.5 | Secure authentication | JWT with idle/absolute timeout, token revocation, account lockout after 5 failures |
| A.8.9 | Configuration management | Versioned DB table, changes audited with before/after values, secrets as Docker files |
| A.8.15 | Logging | Immutable INSERT-only table, trigger blocks UPDATE/DELETE, SHA-256 hash chain |
| A.8.16 | Monitoring | Real-time SIEM forwarding, admin audit viewer, health endpoint |
| A.8.24 | Cryptography | TLS 1.2+ in transit, AES-256 TDE at rest, bcrypt for passwords |
| A.8.25 | Secure development | Bandit static analysis, dependency scanning, parameterized SQL, Pydantic validation |
| A.8.26 | Application security | Rate limiting, CORS validation, CSP headers, HSTS, session management with revocation |
SOC 2 Type II — Trust Services Criteria
| Criteria | Requirement | Implementation |
|---|
| CC6.1 | Logical access security | RBAC, collection isolation, JWT auth, restricted DB user, non-root container |
| CC6.2 | Segregation of duties | Admins cannot modify their own audit trail (DB trigger prevents modification) |
| CC6.3 | Role-based access | Four roles (admin, user, viewer, qa) with logged changes. Deactivation revokes all sessions immediately. |
| CC6.6 | Authentication | bcrypt, complexity rules, lockout, SSO/OIDC, session timeout, token revocation |
| CC7.1–7.4 | System operations | Comprehensive event logging, SIEM forwarding, hash chain integrity, force-logout/deactivation |
| CC8.1 | Change management | Git version control, automated deploy, idempotent migrations, vulnerability scanning |
| CC9.1 | Risk identification | Dependency scanning, security headers, rate limiting, input validation |
| A1.1 | Availability | Docker health checks with auto-restart (30s/3 retries), systemd service, daily backups |
| C1.1 | Confidentiality | Collection isolation, TLS/TDE, Docker secrets, configurable chat content audit logging |
Evidence Artifacts
| Evidence | Location |
|---|
| Access control policy | backend/auth.py (RBAC), backend/utils.py (collection access) |
| Password policy | backend/auth.py:validate_password_complexity() |
| Audit log | dbo.security_event_log, backend/src/security_log.py |
| Hash chain verification | GET /compliance/audit/verify-hash-chain |
| Encryption config | Caddyfile.docker (TLS), db/enable_tde.sql (TDE) |
| Session management | backend/auth.py:create_token(), backend/src/token_revocation.py |
| Backup procedures | scripts/backup-db.sh, cron at /etc/cron.d/afunana-backup |
| Vulnerability scans | deploy_receiver.py — Bandit, pip audit, npm audit |
Shared Responsibility
| Afunana Provides | Customer Provides |
|---|
| SSO/OIDC integration | Identity Provider configuration, MFA enforcement |
| RBAC + collection isolation | User provisioning/de-provisioning |
| Immutable audit logging + SIEM forwarding | Long-term log retention (7+ years), SIEM CA certs |
| TLS + TDE encryption | Network access control (firewall), physical security |
| Vulnerability scanning + incident response | Penetration testing (third-party), regulatory notifications |
Application Security Scanning
For detailed OWASP Top 10 coverage, AppScan readiness, and vulnerability management procedures, see the dedicated AppScan & OWASP page.
