navidocs/server/README_AUTH.md

NaviDocs Authentication & Authorization System

Complete Documentation Package

---

What is This?

This is a comprehensive technical design for a multi-tenancy authentication and authorization system for NaviDocs, a cross-vertical document management platform.

Problem Solved: Agencies need to manage multiple entities (boats, aircraft, properties) with granular user access control.

Solution: JWT-based authentication + RBAC with entity-level permissions, supporting all verticals with a single, unified system.

---

Documentation Structure

🚀 Start Here

New to the Project? → AUTH_QUICK_START.md

• 5-minute developer guide
• Code examples
• Common patterns
• Quick reference tables

📋 Executive Summary

For Stakeholders → AUTH_SYSTEM_SUMMARY.md

• Problem statement
• Solution overview
• Implementation roadmap (5 weeks, 16 PRs)
• Success criteria
• Risk assessment
• Cost analysis

🏗️ Technical Design

For Architects → DESIGN_AUTH_MULTITENANCY.md

• 3 architectural approaches analyzed
• Recommended solution (JWT + RBAC)
• Database schema changes (4 new tables)
• Authentication & authorization flows
• Security considerations
• Performance optimizations
• Migration strategy
• Pros/cons comparison

📐 Architecture Diagrams

For Visual Learners → ARCHITECTURE_DIAGRAM.md

• High-level system architecture
• Authentication flow diagrams
• Authorization resolution flow
• Permission hierarchy
• Multi-tenancy model
• Security layers
• Scalability considerations

✅ Implementation Tasks

For Developers → IMPLEMENTATION_TASKS.md

• 16 PRs broken down by phase
• Detailed acceptance criteria
• Code interfaces and contracts
• Testing requirements
• File structure
• Estimated effort per task

---

Quick Facts

Aspect	Details
Auth Type	JWT (JSON Web Tokens) - Stateless
Authorization	RBAC (Role-Based Access Control) with entity-level granularity
Database	SQLite (designed for PostgreSQL migration)
Password Security	bcrypt with cost factor 12
Token Expiry	Access: 15 minutes, Refresh: 7 days
Permission Levels	Viewer, Editor, Manager, Admin
Organization Roles	Viewer, Member, Manager, Admin
Cache	LRU cache, 5-minute TTL, 10,000 entries
Implementation Time	5 weeks, 16 PRs
Test Coverage Target	>90%

---

Key Features

✅ User Authentication

• Registration with email verification
• Login with email/password
• JWT access tokens (15min)
• Refresh tokens (7 days, revocable)
• Password reset flow
• Account suspension

✅ Multi-Tenancy

• Organizations contain multiple entities
• Users belong to multiple organizations
• Cross-vertical support (boats, aircraft, marinas, etc.)
• Granular entity-level permissions

✅ Authorization

• 3-tier hierarchy: Organization → Entity → Resource
• 4 permission levels with inheritance
• Explicit grant model (secure by default)
• Permission caching for performance

✅ Security

• bcrypt password hashing
• JWT signature verification
• Rate limiting on auth endpoints
• Audit logging for all events
• CSRF and XSS protection
• Session revocation

✅ Scalability

• Stateless JWT (horizontal scaling)
• LRU cache (10x faster permission checks)
• Database indexes for common queries
• Designed for 10,000+ users

---

Example Use Case

Scenario: Coastal Marine Services manages 3 boats

Users:

• Alice (Organization Admin)
• Bob (Organization Manager)
• Carol (Organization Member)
• Dave (Organization Viewer)

Access Control:

┌──────────┬───────────┬────────────┬────────────┬────────────┐
│ User     │ Org Role  │ Boat 1     │ Boat 2     │ Boat 3     │
├──────────┼───────────┼────────────┼────────────┼────────────┤
│ Alice    │ Admin     │ Admin (org)│ Admin (org)│ Admin (org)│
│ Bob      │ Manager   │ Manager    │ Manager    │ Manager    │
│ Carol    │ Member    │ Editor*    │ No Access  │ Viewer*    │
│ Dave     │ Viewer    │ Viewer     │ Viewer     │ Viewer     │
└──────────┴───────────┴────────────┴────────────┴────────────┘
                         * = Explicit grant required

Result:

• Alice: Full control of all boats
• Bob: Can manage all boats, cannot change org settings
• Carol: Can edit Boat 1, view Boat 3, no access to Boat 2
• Dave: Can view all boats, cannot make changes

---

API Endpoints (Summary)

Authentication (8 endpoints)

POST   /api/auth/register
POST   /api/auth/login
POST   /api/auth/logout
POST   /api/auth/refresh
POST   /api/auth/forgot-password
POST   /api/auth/reset-password
GET    /api/auth/verify-email/:token
GET    /api/auth/me

Organizations (8 endpoints)

GET    /api/organizations
POST   /api/organizations
GET    /api/organizations/:id
PATCH  /api/organizations/:id
DELETE /api/organizations/:id
GET    /api/organizations/:id/members
POST   /api/organizations/:id/members
DELETE /api/organizations/:id/members/:userId

Entity Permissions (4 endpoints)

GET    /api/entities/:id/permissions
POST   /api/entities/:id/permissions
PATCH  /api/entities/:id/permissions/:userId
DELETE /api/entities/:id/permissions/:userId

See full API documentation in individual files.

---

Database Schema Changes

New Tables (4)

1. entity_permissions

   • Granular entity-level access control
   • Fields: user_id, entity_id, permission_level, granted_by, expires_at
   • Indexes: user_id, entity_id, expires_at

2. refresh_tokens

   • Secure session management
   • Fields: user_id, token_hash, device_info, expires_at, revoked
   • Indexes: user_id, expires_at, revoked

3. password_reset_tokens

   • Password recovery workflow
   • Fields: user_id, token_hash, expires_at, used
   • Indexes: user_id, expires_at

4. audit_log

   • Security event tracking
   • Fields: user_id, event_type, resource_type, status, ip_address, metadata
   • Indexes: user_id, event_type, created_at, status

Modified Tables (1)

users

• Add: email_verified, email_verification_token, email_verification_expires
• Add: status (active/suspended/deleted), suspended_at, suspended_reason

Total Impact: 4 new tables, 5 new indexes, 1 table modification (backward compatible)

---

Implementation Roadmap

Phase 1: Foundation (Week 1)

• Database schema migration
• Authentication service (register, login, refresh)
• Authentication routes
• Enhanced auth middleware
• Audit logging

Deliverables: 5 PRs

Phase 2: Authorization (Week 2)

• Authorization service (permission resolution)
• Permission middleware
• Apply auth to existing routes
• Entity permission management

Deliverables: 4 PRs

Phase 3: User & Org Management (Week 3)

• User management endpoints
• Organization CRUD
• Member management
• Email verification & password reset

Deliverables: 3 PRs

Phase 4: Security Hardening (Week 4)

• Rate limiting enhancements
• Brute force protection
• Password strength validation
• Cross-vertical testing

Deliverables: 2 PRs

Phase 5: Documentation & Deployment (Week 5)

• API documentation (OpenAPI/Swagger)
• Migration scripts
• Deployment guide
• Rollback procedures

Deliverables: 2 PRs

Total: 5 weeks, 16 PRs

---

Technology Stack

Component	Technology	Purpose
Runtime	Node.js 20+	JavaScript runtime
Framework	Express 5.0	Web framework
Database	SQLite → PostgreSQL	Data storage
Auth	JWT (jsonwebtoken)	Stateless tokens
Password	bcrypt	Secure hashing
Search	Meilisearch	Full-text search
Queue	BullMQ + Redis	Background jobs
Cache	lru-cache	Permission cache
Security	Helmet.js	HTTP headers
Rate Limit	express-rate-limit	DDoS protection

---

Security Highlights

✅ Password hashing (bcrypt, cost=12) ✅ JWT signature verification ✅ Token expiry enforcement ✅ Refresh token rotation ✅ Rate limiting (5 req/15min for auth) ✅ Audit logging (all security events) ✅ Account suspension capability ✅ HTTPS required (production) ✅ CORS policy enforcement ✅ Input validation and sanitization ✅ SQL injection prevention (prepared statements) ✅ XSS protection (Helmet.js CSP)

---

Performance Optimizations

1. LRU Cache - Permission checks cached (10x faster)
2. Database Indexes - Strategic indexes on hot queries
3. Prepared Statements - SQLite default (prevents SQL injection)
4. Stateless JWT - No database lookup per request
5. Batch Queries - Fetch all user entities at once

Expected Performance:

• Login: <100ms
• Permission check (cached): <5ms
• Permission check (uncached): <50ms
• Token refresh: <50ms

---

Testing Strategy

Unit Tests

• Target: >90% code coverage
• All service methods
• All middleware
• Edge cases and errors

Integration Tests

• End-to-end auth flows
• Multi-user scenarios
• Cross-vertical compatibility
• Permission resolution

Security Tests

• SQL injection attempts
• JWT tampering
• Brute force simulation
• CSRF attacks

Performance Tests

• 1000 concurrent logins
• 10,000 permission checks/sec
• Database query benchmarks
• Cache hit rate

---

Migration Strategy

Zero Downtime Deployment

1. Backup existing database
2. Run migration (adds new tables, doesn't modify existing)
3. Deploy backend (new routes don't affect old ones)
4. Test auth endpoints
5. Deploy frontend (users start using new auth)
6. Monitor for 24 hours

Rollback: Migration includes down script to revert all changes

---

Success Criteria

✅ User can register and login ✅ Access token expires and can be refreshed ✅ User can reset forgotten password ✅ User can verify email address ✅ Org admin can invite users ✅ Org admin can grant entity access ✅ Permission levels work correctly ✅ Unauthorized access returns 403 ✅ All security events logged ✅ Works across all verticals ✅ Migration completes without data loss ✅ All tests pass (>90% coverage) ✅ API documentation complete ✅ Performance benchmarks met

---

Comparison of Approaches

✅ Approach 1: JWT + RBAC (RECOMMENDED)

Pros: Stateless, scalable, industry standard, minimal DB changes Cons: Cannot revoke JWTs (mitigated by refresh tokens)

Approach 2: Session + ABAC

Pros: Instant revocation, very flexible policies Cons: Requires Redis, complex, not stateless, overkill

Approach 3: OAuth2 + External IDP

Pros: Offload auth, enterprise features Cons: Vendor lock-in, cost, external dependency

Decision: Approach 1 provides the best balance for NaviDocs.

---

Future Roadmap

Short Term (3-6 months)

• Email service integration (SendGrid/SES)
• Two-factor authentication (TOTP)
• Social login (Google, Microsoft)
• Mobile app support (OAuth2 PKCE)

Medium Term (6-12 months)

• SSO integration (SAML, OIDC)
• API key management
• Webhook security
• Advanced audit analytics

Long Term (12+ months)

• ML-based anomaly detection
• Passwordless auth (WebAuthn)
• Zero-trust architecture
• Multi-region token replication

---

FAQ

Q: Why JWT instead of sessions? A: Stateless JWT enables horizontal scaling without shared session store. Short expiry + refresh tokens mitigate revocation issue.

Q: Can users belong to multiple organizations? A: Yes. The user_organizations table is a many-to-many relationship.

Q: How do I revoke a user's access immediately? A: Set user status to 'suspended' or revoke all their refresh tokens. Access tokens expire in 15 minutes.

Q: How does this work across different verticals (boats, aircraft, etc.)? A: The system is vertical-agnostic. The entity_type field differentiates, but all logic is identical.

Q: What happens to existing data during migration? A: Migration creates new tables without modifying existing ones. Existing users get personal organizations and admin permissions on their entities.

Q: Can I skip email verification in development? A: Yes. Set email_verified = 1 manually in the database for testing.

Q: How do I test permission checks? A: Use the test database fixture in /test/helpers.js to set up users, orgs, and permissions.

Q: What if I need time-based permissions (e.g., access expires)? A: Use the expires_at field in entity_permissions. Null = never expires.

---

Getting Started

For Stakeholders:

1. Read AUTH_SYSTEM_SUMMARY.md for overview
2. Review implementation roadmap (5 weeks, 16 PRs)
3. Approve design and allocate resources

For Architects:

1. Read DESIGN_AUTH_MULTITENANCY.md for technical details
2. Review ARCHITECTURE_DIAGRAM.md for visual reference
3. Validate against system requirements

For Developers:

1. Read AUTH_QUICK_START.md for code examples
2. Review IMPLEMENTATION_TASKS.md for task breakdown
3. Start with Phase 1, PR 1 (database migration)

For QA:

1. Review acceptance criteria in IMPLEMENTATION_TASKS.md
2. Prepare test plans for each PR
3. Focus on security testing (SQL injection, JWT tampering, etc.)

---

Document Index

Document	Size	Audience	Purpose
README_AUTH.md	10 pages	Everyone	Entry point, overview
AUTH_QUICK_START.md	15 pages	Developers	Code examples, patterns
AUTH_SYSTEM_SUMMARY.md	20 pages	Stakeholders	Executive summary
DESIGN_AUTH_MULTITENANCY.md	50 pages	Architects	Full technical design
IMPLEMENTATION_TASKS.md	40 pages	Developers	Task breakdown, interfaces
ARCHITECTURE_DIAGRAM.md	25 pages	Visual learners	Diagrams, flows

Total Documentation: ~160 pages

---

Support & Contact

Documentation Issues: Open a GitHub issue with label documentation Implementation Questions: Consult AUTH_QUICK_START.md first Design Clarifications: Refer to DESIGN_AUTH_MULTITENANCY.md Code Examples: See /test/ directory for comprehensive examples

---

License

Same as NaviDocs main project.

---

Acknowledgments

This design follows industry best practices from:

• OWASP Authentication Cheat Sheet
• NIST Digital Identity Guidelines
• OAuth 2.0 Security Best Current Practice
• JWT Best Practices (RFC 8725)

---

Version History

Version	Date	Changes
1.0	2025-10-21	Initial design by Tech Lead

---

Status

Current: ⏳ Design Review Next: ✅ Approval → 🚀 Implementation (Phase 1)

---

Ready to start? → Begin with AUTH_QUICK_START.md

Need the full picture? → Read DESIGN_AUTH_MULTITENANCY.md

Want to see it visually? → Check ARCHITECTURE_DIAGRAM.md

---

Document Version: 1.0 Last Updated: 2025-10-21 Maintained By: Tech Lead