Security - chrisdacel/Backend_EcoRisaralda GitHub Wiki
Threat Models
Among the main threats considered are:
-
Unauthorized access to administrative functions.
-
User identity theft or impersonation.
-
Malicious code injection (SQL Injection).
-
Data manipulation in forms.
-
Exposure of sensitive information in logs or system responses.
-
Brute force attacks on the authentication system.
Based on these threats, different protection mechanisms were implemented in both the backend (Laravel) and frontend (React).
Implemented Measures
| Measure | Detail |
|---|---|
| Authentication | Implemented using Laravel Sanctum (for SPA) or JWT for secure session management through tokens. |
| Authorization | Role-based access control managed with Spatie Laravel Permission. |
| Validation | Rules defined in FormRequest classes to prevent malicious data input |
| Protection | HTTPS enforced in production, rate limiting, and logs without sensitive information |
| Encryption | Passwords encrypted using bcrypt. Sensitive data is not stored in system logs. |
Software Security Architecture User Stories
| Story | Actor | Constraint |
|---|---|---|
| Only administrators can restrict tourist destinations | Admin | Route DELETE /api/destinations/{id} protected |
| Authentication tokens expire after 24 hours of inactivity | All users | Secure session and automatic rotation |
| Operators can only edit their own destinations | Operator | Resource ownership validation before update |
| Users must be authenticated to comment or rate | User | Routes protected via auth middleware |