Security Patterns¶
Authorization, encryption, rate-limiting, isolation. The authentication side (passwords, OAuth, JWT) lives in Integrations-Auth.md; this page covers everything that happens after the user is logged in.
RBAC (Role-Based Access Control)¶
What it is. Users have roles; roles have permissions; the app checks "does this role have permission X?" before letting an action through.
Implementations seen:
CASL (Node)¶
What it is. Isomorphic ability-checking library. Define ability.can('update', 'Article', { authorId: user.id }) once, use the same logic on server (route guards) and client (UI hiding).
Used in: GoGreen-Workflow-Hub.
Spatie/Laravel-Permission¶
What it is. Laravel's de-facto RBAC package. Roles, permissions, model-level checks via $user->can('publish posts').
Used in: Voting_NewAndImproved.
Custom JWT-claim-based RBAC¶
Most TS apps use a claim like roles: ['admin', 'tenant-owner'] in the JWT and check it in middleware (requireRole('admin')).
Used in: Recruiting_AI, GoGreen-Sourcing, Maximus, GoGreen-AI-Concierge, OpenSentinel, plus most others.
Row-Level Security (RLS)¶
What it is. Postgres feature that filters every query by a current_user-aware policy — even if your app code forgets the WHERE tenant_id = ? clause, the database enforces isolation.
Used in: ChoreAndMoreTracker (Tauri + Rust + sqlx + Postgres RLS).
Tradeoffs. Strongest tenant-isolation guarantee available. Adds debugging complexity (queries silently return empty). Most portfolio apps rely on application-layer enforcement instead, which is faster to build but trusts every developer to write correct queries.
CSRF protection¶
See Integrations-Auth.md — CSRF is auth-adjacent. SameSite cookies + double-submit token, or framework-native (Laravel/Next.js have built-in support).
Rate limiting¶
Pattern. Redis INCR + EXPIRE per (ip, endpoint) key. Implemented as middleware.
Where it's explicit:
- OpenSentinel — rate-limited tool invocations, MCP calls, and webhook receivers.
- TimeSheetAI — login + critical-endpoint rate-limit.
- PolyMarketAI — tenacity (Python) wraps external API calls with retry + rate-limit awareness.
Library: express-rate-limit (Node), slowapi (Python FastAPI), Laravel ThrottleRequests middleware (PHP).
Connection pooling¶
Why it matters. Postgres handles a few hundred concurrent connections poorly; serverless platforms create thousands of short-lived ones.
PgBouncer — used in TimeSheetAI (Next.js + NextAuth + Prisma → PgBouncer → Postgres).
Prisma's built-in connection-pool — every other Prisma app.
End-to-End Encryption (E2EE)¶
What it is. Server can't read user messages even if compromised. Keys live only on user devices.
Implementation in FamilyChat: - Key exchange: ECDH P-256 (one keypair per device). - Symmetric cipher: AES-256-GCM with a per-message random IV. - Pattern: every message body is encrypted client-side; server stores ciphertext only; recipients decrypt with their device key.
Tradeoffs. No server-side search, no message history when adding a new device without explicit re-share, push-notification previews must be empty or use a separate "preview key."
Field-level encryption (server-side)¶
What it is. Specific columns (PII, secrets, payment-method tokens) encrypted at rest beyond the disk-level encryption.
Pattern in portfolio: AES-256 with a key in env, applied via Prisma middleware or column-encryption hook. Less formalized than E2EE — mostly per-app implementations.
CAPTCHA / bot mitigation¶
Status: not surfaced in any app config in the audit. Apps that need it likely rely on Cloudflare's bot-management at the proxy layer.
Secret management¶
See Infrastructure-Deployment.md. .env + API_Keys_and_Secrets_Master.md. No Vault / Secrets Manager.
Dependency scanning (not surfaced)¶
Dependabot may be enabled at the GitHub level (it isn't in app config files). npm audit runs in CI for some apps but isn't gated.
Static analysis / SAST¶
ESLint catches some security antipatterns. No Snyk, Semgrep, or similar tools in CI configs.
SCIM 2.0¶
User/group provisioning from IdP. See Integrations-Comms.md. FamilyChat only.
Audit logging¶
Pattern. Sensitive actions (admin changes, billing changes, role assignment) write a row to an audit_logs table with actor_id, action, target, metadata, ip, user_agent, at.
Apps that document this explicitly: OpenSentinel (audit trail in DB is part of its core value prop), GoGreen-DOC-AI (compliance posture), GoGreen-Workflow-Hub.
Compliance / data residency¶
The Voting_NewAndImproved app's choice of MariaDB and self-hosted is a deliberate sovereignty choice — voting data shouldn't leave the customer's control. GoGreen-DOC-AI's SAML + 2FA + audit-log combo targets compliance-conscious tenants.
No app currently offers SOC 2 / HIPAA / GDPR formal certification — the patterns are in place; certification would be a separate effort.
Comparison alternatives (not used)¶
| Tool | Notes |
|---|---|
| Vault, AWS Secrets Manager, Doppler | Secrets management. .env + master file is intentional. |
| OPA / Cedar | Policy-as-code. App-layer RBAC + Postgres RLS cover the use cases. |
| Snyk / Semgrep / Trivy | Vuln scanning. Could add Trivy to image builds; not done yet. |
| WAF (Cloudflare WAF, AWS WAF) | Web app firewall. Cloudflare WAF likely operates at proxy layer where used. |
Decision guide¶
Multi-tenant DB with strict isolation? Postgres RLS (ChoreAndMoreTracker pattern).
App-level RBAC? JWT claims + middleware, or CASL (TS), Spatie (PHP).
Public chat that needs E2EE? ECDH + AES-GCM (FamilyChat pattern).
Encrypt specific PII columns? AES-256 with a key in env, Prisma middleware.
Rate-limit endpoints? Redis INCR + EXPIRE.
Need SCIM provisioning? pysaml2 + SCIM endpoint exposure.
Need audit logs? Append-only `audit_logs` table written by service-layer hooks.