In the backend, Spring Security is used. User authentication, authorization, and other security options are handled by Spring Security.

When a user is logged in, a JWT token is sent to the frontend. This token is used to ensure the user is authorized to access the endpoints. With the token, the backend can set the correct security context in Spring Security. When the security context is set, the backend knows which user is accessing the endpoints.

As a user can have different privilege levels in different fridges, authorization level is stored in the database and not in Spring Security itself. As the application does not have a global admin, there is no need to set the role in the SecurityContextHolder class to anything other than USER.

When it comes to input validation, there is not much validation for creating a user and logging in. The frontend has checks for a valid email and password, but there is no check in the backend for password length, or if the email is valid. This means that a user can edit their password to be smaller than the minimum allowed length in the frontend.

On the other hand, JPA ensures that queries are correctly sanitized before being executed. This prevents SQL injections.

The frontend has escaping that helps prevent XSS (cross-site scripting).

When a user is authenticated or registered, a JWT token is created. The token contains the username of the user and is signed with the HS256 algorithm and a secret key. The token is valid for 90 minutes.

The HS256 is a symmetric algorithm that uses a secret key stored in the backend. The key was randomly generated and is only known to the server.

As there currently is no refresh token system, the user has to log in again after 90 minutes.

The BCryptPasswordEncoder class from Spring Security is used for encrypting passwords. This class uses both salt and hash when encrypting passwords. The encrypted password is then stored in the database. BCrypt is a password hashing algorithm designed specifically for password storage. It is computationally expensive, which means it takes more time to generate a hash, making it more resistant to brute force attacks.

All in all, the application is quite secure, but there are some quality of life improvements that could be made in the future.