Good Deeds

Appearance

Security Audit - Authentifizierungs-System

Datum: 2026-06-05
Version: 1.0
Autor: CTO

Überblick

Dieses Dokument beschreibt die implementierten Security-Features und Best Practices des Authentifizierungs-Systems für die Good Deeds App.

Implementierte Security Features

1. Password Hashing

Implementierung: Argon2
Rationale: Argon2 ist der Winner des Password Hashing Competition 2015 und gilt als sicherer als bcrypt/scrypt.

typescript
// Password hashing
const passwordHash = await argon2.hash(password);

// Password verification
const isValid = await argon2.verify(passwordHash, password);

Security Benefits:

  • Memory-hard algorithm (resistent gegen GPU/ASIC Attacks)
  • Konfigurierbare Parameters (time cost, memory cost, parallelism)
  • Side-channel attack resistant

2. JWT Token Management

Access Token: 15 Minuten Lebensdauer
Refresh Token: 7 Tage Lebensdauer

Security Measures:

  • Access Tokens sind kurzlebig (15min) um Exposure zu minimieren
  • Refresh Tokens werden als Hash in der Datenbank gespeichert (nicht Plaintext)
  • Bei Password-Reset werden alle Refresh Tokens invalidiert
  • Token-Rotation bei Refresh (neuer Refresh Token bei jedem Refresh)
typescript
// Refresh Token wird gehasht gespeichert
const refreshTokenHash = await argon2.hash(refreshToken);
await this.userRepository.update(user.id, { refreshTokenHash });

3. Email Verification

Token-Generation: Cryptographically secure random bytes
Token-Lifetime: 24 Stunden

typescript
const emailVerificationToken = randomBytes(32).toString('hex');
const emailVerificationExpires = new Date(Date.now() + 24 * 60 * 60 * 1000);

Security Benefits:

  • Verifiziert Email-Besitz vor Account-Aktivierung
  • Tokens sind unpredictable (crypto random)
  • Zeitlich limitiert
  • Single-use (wird nach Verifikation gelöscht)

4. Password Reset Flow

Token-Generation: Cryptographically secure random bytes
Token-Lifetime: 1 Stunde

Security Measures:

  • Keine User-Existence-Disclosure (immer gleiche Message)
  • Kurze Token-Lifetime (1h)
  • Tokens werden nach Verwendung invalidiert
  • Alle Sessions werden nach Reset invalidiert
typescript
// Security: Keine Unterscheidung ob User existiert
return { message: 'Wenn die Email existiert, wurde ein Reset-Link gesendet' };

5. Rate Limiting

Global Rate Limit: 100 requests/minute
Auth-Specific Limits:

  • Register: 3 requests/minute
  • Login: 5 requests/minute
  • Forgot Password: 3 requests/5 minutes
  • Resend Verification: 3 requests/5 minutes

Implementation: @nestjs/throttler

typescript
@Throttle({ default: { limit: 5, ttl: 60000 } })
@Post('login')
async login() { ... }

Security Benefits:

  • Brute-Force Attack Prevention
  • DoS Protection
  • Account Enumeration Prevention

6. Input Validation

Implementation: class-validator

Validation Rules:

  • Email: Valid email format
  • Password: Min 8 chars, requires uppercase, lowercase, number/special char
  • Name: Min 2 chars, Max 255 chars
  • All inputs: Whitelist validation (unknown fields rejected)
typescript
@Matches(/((?=.*\d)|(?=.*\W+))(?![.\n])(?=.*[A-Z])(?=.*[a-z]).*$/, {
  message: 'Password muss mindestens 1 Großbuchstaben, 1 Kleinbuchstaben und 1 Zahl enthalten',
})
password: string;

7. HTTPS-Only & Secure Headers

Implementation: Helmet.js

typescript
app.use(helmet());

Headers Configured:

  • Content-Security-Policy
  • X-Frame-Options: DENY
  • X-Content-Type-Options: nosniff
  • Strict-Transport-Security (HSTS)
  • X-XSS-Protection

8. CSRF Protection

Implementation: Cookie-based authentication mit SameSite cookies

typescript
app.use(cookieParser());

// Cookies werden mit SameSite=Strict/Lax gesetzt

9. CORS Configuration

Implementation: Whitelisted Origins

typescript
app.enableCors({
  origin: configService.get('CORS_ORIGINS')?.split(','),
  credentials: true,
});

10. Database Security

Measures:

  • Prepared Statements (TypeORM - SQL Injection Prevention)
  • Password fields @Exclude() in serialization
  • Sensitive fields marked with @Exclude decorator
typescript
@Column({ name: 'password_hash', nullable: true })
@Exclude()
passwordHash: string;

Threat Model & Mitigations

1. Brute Force Attacks

Mitigation: Rate Limiting (5 login attempts/minute)

2. Password Cracking

Mitigation: Argon2 Hashing mit hohen Memory/Time Costs

3. Session Hijacking

Mitigation:

  • Kurze Access Token Lifetime (15min)
  • Refresh Token Rotation
  • HTTPS-only
  • Secure Cookies

4. CSRF Attacks

Mitigation:

  • SameSite Cookies
  • JWT Bearer Token (stateless)

5. XSS Attacks

Mitigation:

  • Helmet Security Headers
  • Input Validation
  • Output Encoding (Frontend Responsibility)

6. SQL Injection

Mitigation:

  • TypeORM Prepared Statements
  • Input Validation

7. Account Enumeration

Mitigation:

  • Generic error messages
  • Same response time for existing/non-existing users (Password Reset)
  • Rate Limiting

8. Email Spoofing

Mitigation:

  • DKIM/SPF (Email Provider Responsibility)
  • Verification Tokens in URLs (not in email body)

Security Checklist

Authentication

  • [x] Strong password hashing (Argon2)
  • [x] Email verification required
  • [x] Rate limiting on auth endpoints
  • [x] Password strength requirements
  • [x] Secure password reset flow

Authorization

  • [x] JWT-based authentication
  • [x] Token expiration
  • [x] Refresh token rotation
  • [x] Session invalidation on logout

Data Protection

  • [x] Sensitive data excluded from serialization
  • [x] HTTPS-only in production
  • [x] Secure cookie settings
  • [x] Input validation & sanitization

Attack Prevention

  • [x] Rate limiting
  • [x] CSRF protection
  • [x] SQL injection prevention
  • [x] XSS headers
  • [x] Account enumeration prevention

Remaining Security Tasks

⚠️ To-Do for Production:

  1. SSL/TLS Certificate Setup
  2. Security Headers Tuning (CSP)
  3. Database Connection Encryption
  4. Secrets Management (HashiCorp Vault / AWS Secrets Manager)
  5. Audit Logging (User Actions)
  6. 2FA Implementation (Optional Enhancement)
  7. IP-based Rate Limiting
  8. Suspicious Activity Detection
  9. Regular Security Audits & Penetration Testing
  10. Dependency Vulnerability Scanning (npm audit, Snyk)

Compliance

GDPR Considerations

  • User data stored with consent (Registration)
  • Right to deletion (To be implemented)
  • Data minimization principle followed
  • Secure storage of personal data

Best Practices Followed

  • OWASP Top 10 Coverage
  • NIST Password Guidelines
  • OAuth 2.0 Best Practices
  • JWT Best Practices (RFC 8725)

Testing

Unit Tests coverage:

  • ✅ Registration flow
  • ✅ Login flow
  • ✅ Email verification
  • ✅ Password reset
  • ✅ Token refresh
  • ✅ Error scenarios

Monitoring Recommendations

  1. Failed Login Attempts: Alert on >10 failed attempts/IP
  2. Token Refresh Patterns: Detect anomalous refresh patterns
  3. Password Reset Requests: Alert on excessive requests
  4. API Rate Limit Hits: Monitor for DoS attempts
  5. Database Query Performance: Detect SQL injection attempts

Conclusion

Das implementierte Authentifizierungs-System folgt Industry Best Practices und adressiert die gängigsten Security-Bedrohungen. Für Production-Deployment sollten die "Remaining Security Tasks" priorisiert werden.

Security Rating: 🟢 Production-Ready mit Einschränkungen (siehe To-Do Liste)

Good Deeds - Nachbarschaftshilfe-App

Copyright © 2026