Security & Authentication

Vista ma rozbudowany system uwierzytelniania z wieloma metodami logowania.

Multi-Layer Security Model

graph TB
    subgraph "Authentication Layers"
        BIOMETRIC[Biometric Auth<br/>Touch ID / Face ID]
        PASSWORD[Password Auth<br/>bcrypt + salt]
        SESSION[Session Tokens<br/>JWT with refresh]
        API_KEY[API Key Storage<br/>System Keychain]
    end

    subgraph "Authorization Layers"
        ROLES[Role-Based Access<br/>admin/vet/assistant/viewer]
        PERMISSIONS[Resource Permissions<br/>read/write/delete/share]
        AUDIT[Audit Trail<br/>All actions logged]
    end

    subgraph "Data Protection"
        ENCRYPTION[Data Encryption<br/>At-rest + in-transit]
        KEYCHAIN[Secure Storage<br/>macOS Keychain/Windows Credential Store]
        LOCAL_FIRST[Local-First<br/>No cloud data storage]
    end

    BIOMETRIC --> SESSION
    PASSWORD --> SESSION
    SESSION --> ROLES
    ROLES --> PERMISSIONS
    PERMISSIONS --> AUDIT

    API_KEY --> ENCRYPTION
    ENCRYPTION --> KEYCHAIN
    KEYCHAIN --> LOCAL_FIRST

Role-Based Permissions (RBAC)

Resource	Admin	Vet	Assistant	Viewer
Users Management	CRUD	-	-	-
Patients	CRUD	CRUD	Read/Update	Read
Visits	All	Own+Shared	Assist+View	Read
Settings	All	Personal	Personal	-
Reports	All	Own Data	Basic	-
Audit Logs	Read	-	-	-

Data Protection

Encryption at rest:

• API Keys: System keychain (macOS Keychain, Windows Credential Store)
• Passwords: bcrypt with salt rounds=12
• Session tokens: JWT with HMAC signing
• Database: SQLite with optional encryption

Encryption in transit:

• HTTPS only for all external API calls
• TLS 1.3 for secure communication
• Certificate pinning for LibraxisAI endpoints

Auth Flow

sequenceDiagram
    participant User
    participant App
    participant AuthContext
    participant LoginForm
    participant Tauri
    participant SQLite

    User->>App: Launch Vista
    App->>AuthContext: Check session
    AuthContext->>Tauri: create_session / login
    Tauri->>SQLite: Validate credentials
    SQLite-->>Tauri: User + Preferences
    Tauri-->>AuthContext: Session token

    alt First Time Setup
        AuthContext->>LoginForm: Show FirstTimeSetup
        LoginForm->>User: Clinic + User wizard
        User->>LoginForm: Complete setup
        LoginForm->>Tauri: create_user, update_clinic
    end

    AuthContext->>App: Authenticated
    App->>User: Show Dashboard

Metody logowania

Method	Command	Description
Password	login	Standard login
PIN	login_with_pin	Quick PIN login
Biometric	biometric_login	Touch ID / Face ID

PIN Lockout

Po 5 nieudanych próbach PIN jest blokowany.

erDiagram
    PIN_LOCKOUT {
        string user_id PK "FK"
        int failed_count
        string lockout_until
        boolean permanent_lock
    }

Session Management

erDiagram
    USER_SESSIONS {
        string session_id PK
        string user_id FK
        datetime login_time
        datetime logout_time
        string device
        string token_type
        boolean active
        datetime expires_at
    }

Auth Commands

Command	Type	Description
check_has_users	query	Sprawdza czy istnieją użytkownicy w DB
create_first_admin	write	Tworzy pierwszego admina + klinikę
login	write	Logowanie użytkownika
logout	write	Wylogowanie
set_pin	write	Ustawia PIN logowania
enable_biometric_login	write	Włącza biometrię
check_onboarding_status	query	Status onboardingu
complete_onboarding_session	write	Zapisuje preferencje
skip_onboarding_session	write	Pomija onboarding

GDPR/RODO Compliance

Vista wspiera:

• Data export - eksport danych użytkownika (JSON/CSV/PDF)
• Data deletion - usuwanie danych z anonimizacją
• Audit trail - pełny log wszystkich akcji
• Data retention - konfigurowalne okresy przechowywania

---

Implementation Status

Component	Status	Description
Auth Module Docstrings	Done	Enhanced documentation for auth.rs, gateway_auth.rs, sessions.rs
Authentication Guards	Done	Middleware for consistent authentication enforcement
Secure Logging Module	Done	Structured, level-based logging with PII protection
Secure Process Execution	Done	Safe command execution wrapper with security policies
Migration Guides	Done	Detailed guides for implementing each security component

Security Components

Authentication Guards

Każda komenda Tauri powinna używać middleware do weryfikacji:

use crate::middleware::auth_guards;

// Basic authentication
auth_guards::require_auth()?;

// Admin-only operations
auth_guards::require_admin()?;

// Role-based access control
auth_guards::require_role("vet")?;

Production

Dev-mode bypass musi być wyłączony w produkcji. Testuj przypadki failure.

Secure Logging

Backend (Rust):

use crate::utils::secure_logger::{info, error, Logger};

// Simple log
info!("Operation started");

// With context
info!("User action", user_id = %user_id);

// With PII masking
info!("Processing email", email = %Logger::mask_email(&email));

Masking Method	Use Case
Logger::mask_pii()	General sensitive data
Logger::mask_email()	Email addresses
Logger::mask_phone()	Phone numbers
Logger::mask_token()	Tokens, API keys
Logger::mask_card_number()	Credit cards

Frontend Logging

Szczegółowa dokumentacja frontend logging → Secure Logging Guide

Secure Process Execution

// DON'T use std::process::Command directly
// DO use SecureCommand wrapper

use crate::utils::secure_process::SecureCommand;

SecureCommand::new("ffmpeg")
    .arg("-i").arg(&input_path)
    .with_policy(SecurityPolicy::Audio)
    .execute()?;

Best practices:

• Validate file paths before passing to commands
• Escape special characters in user input
• Use command allowlists

Security Scanning

Command	Tool	Purpose
pnpm lint:semgrep	Semgrep	Static analysis for security issues
pnpm contrast:scan	Contrast Atlas	Dependency and security scanning
pnpm security:check	Combined	Focused security scanning

---

Security Policy

Supported Versions

Wersja	Wsparcie
develop (current branch)	✅
latest minor release (0.54+)	✅
older (< 0.54)	❌

Reporting Vulnerabilities

Responsible Disclosure

Nie publikuj podatności publicznie (GitHub Issues/PRs). Zgłaszaj prywatnie.

Kontakt Security Team:

• Primary: security@libraxis.dev
• Backup: team@libraxis.dev
• General (non-sensitive): contact@libraxis.ai

Wymagane informacje:

• Affected component(s) i wersja/commit
• Impact i severity estimate
• Steps to reproduce (PoC)
• Sugerowane mitigacje

Severity Classes

Klasa	Przykłady	Target fix
P0 Critical	RCE, auth bypass, exposed secrets/PII	72h
P1 High	privilege escalation, persistent XSS, info leak	14 dni
P2 Medium	input validation, non-persistent XSS, DoS	30 dni
P3 Low	best-practice violations, hardening gaps	scheduled

---

Scope

In scope:

• Vista desktop app (Tauri/Rust in src-tauri, React/TS in src)
• Build/release tooling w scripts/
• Local persistence (SQLite) i native helpers

Out of scope:

• Third-party services (external LLM/gateway APIs)
• Documentation-only repos, marketing sites

---

Project-Specific Practices

Frontend (React/Vite)

• CSP enforced w Tauri/HTML; avoid unsafe-eval
• Avoid dangerouslySetInnerHTML - jeśli konieczne, sanitize (DOMPurify)
• Validate all user input
• HTTPS-only dla wszystkich network calls w production
• CSP connect-src allowlist: self, ipc:, localhost dev, prod APIs (api.libraxis.cloud, api.openai.com)

Backend (Tauri/Rust)

• IPC: Wszystkie #[tauri::command] to public API - validate inputs
• Tokens/secrets: OS Keychain (no plaintext on disk)
• Database (SQLite/sqlx): Parameterized queries only, no dynamic SQL
• Process execution: Avoid arbitrary std::process::Command - allowlist binaries
• File I/O: Validate paths, prevent traversal (no .., /, \)
• Logging: PII redaction, structured logging (tracing)

LLM/Egress Policy

• Allowlisted endpoints only (HTTPS + cert validation)
• Minimize PII in prompts; pseudonymize where possible
• Do not log prompts/responses containing personal data

---

Common Vulnerabilities

Path Traversal

fn validate_filename(filename: &str) -> bool {
    !filename.contains("..") && !filename.contains('/') && !filename.contains('\\')
}

if !validate_filename(&name) { return Err("Invalid filename".to_string()); }

Command Injection

// ❌ Dangerous
// Command::new("sh").arg("-c").arg(user_input).status()?;

// ✅ Safer: fixed binary + validated args
let status = Command::new("ffmpeg")
    .args(["-i", &validated_path, "-f", "wav", &out])
    .status()?;

Information Disclosure

// ❌ Bad: reveals file system details
Err(format!("File not found: {}", full_path))

// ✅ Good: generic
Err("File not found".to_string())

XSS/DOM Sinks

// ❌
<div dangerouslySetInnerHTML={{ __html: userInput }} />;

// ✅
const safe = DOMPurify.sanitize(userInput);
<div dangerouslySetInnerHTML={{ __html: safe }} />;

---

Dependency Security

pnpm audit --prod || true
pnpm security:check || true
(cd src-tauri && cargo audit || true)

Guidelines:

• Keep dependencies updated (minor/patch promptly)
• Review licenses and advisories
• Avoid unmaintained packages

---

Production & Distribution

Code Signing

• macOS: Developer ID + hardened runtime
• Windows: EV or standard code signing certificate

Release Checklist

• HTTPS for downloads and API calls
• Publish checksums/signatures
• Verify CSP and permission scopes
• Disable dev bypass flags (VISTA_DEV_NO_AUTH)

---

Incident Response

1. Contain: disable features, rotate credentials, revoke tokens
2. Assess: affected versions, data impact, reproduce
3. Notify: stakeholders/users per legal obligations
4. Remediate: fix, deploy, add regression tests
5. Learn: document root cause, improve policies

Contact: security@libraxis.dev

---

Powiązane dokumenty

• Secure Logging Guide - Frontend i backend logging
• Authentication Flow - Szczegóły auth flow
• Sessions - Session management
• Roles & Permissions - RBAC