pediatric-ai-scribe-v3/docs/authentication.md
Daniel 857ed341f5 docs: rewrite architecture, authentication, configuration, deployment, ai-providers, speech, database, learning-hub, migrations, developer-guide for public audience
- Drop first/second-person voice; reference-style prose throughout
- Remove stale information; align with current code (argon2id primary, hybrid cookie/Bearer auth, sliding 24h idle, AES-256-GCM PHI at rest, backup codes, node-pg-migrate, collation-drift guard, multi-arch Docker, auto-version pipeline)
- Preserve all technical accuracy and code examples
- Remove any remaining references to separate PedsHub Quiz app
- Keep consistent tone across files (tables + code blocks, imperatives where needed)
- api-reference.md and developer-guide.md route tables expanded to reflect current routes (billing, sessions)
2026-04-15 00:26:38 +02:00

8.5 KiB

Authentication & security

Password hashing

  • Primary: argon2id, memory cost 19 MiB, time cost 2, parallelism 1 (OWASP 2023 recommended profile).
  • Fallback: bcryptjs (12 rounds) for legacy rows.
  • Transparent migration: on successful login against a bcrypt hash, the password is rehashed as argon2id and the row updated. Users migrate without any action.
  • The argon2 package is loaded optionally — if not installed, registration and password changes fall back to bcrypt without breaking.

Token transport

Hybrid, chosen at request time by src/utils/platform.js based on User-Agent and optional X-Client header:

Client Transport Storage JWT lifetime
Web browser ped_auth httpOnly + sameSite=lax cookie — (no client storage) 30 d (sliding 24 h idle enforced server-side)
Capacitor app Authorization: Bearer <jwt> iOS Keychain / Android EncryptedSharedPreferences 365 d (no idle check)

authMiddleware reads Bearer first, falls back to cookie. An empty Bearer string falls through to cookie parsing — fixes clients that always emit the header.

Session table

user_sessions is the authoritative source. Each row holds token_hash (SHA-256 of the JWT), user_id, ip_address, device_label, last_activity.

Middleware on every authenticated request:

  1. Verify JWT signature and expiry.
  2. Look up token_hash in user_sessions. If missing and the user has any other sessions → 401 "Session revoked". No sessions at all → fail open (pre-migration users).
  3. Compute idle (NOW() - last_activity).
    • Web (!isMobileClient): if idle > 24 h → delete the session row, clear cookie, return 401 with idleTimeout: true.
    • Mobile: skip idle check.
  4. On POST / PUT / DELETE / PATCH only, if idle > 10 min (throttle), update last_activity = NOW() and re-set the cookie with a fresh 30-day maxAge (cookie slides with activity). GET / HEAD do NOT extend the session — prevents polling from defeating the idle policy.

Idle-timeout kicks write an audit_log entry with action='session_idle_timeout' and the minute count, plus a console.warn for Loki.

Two-factor authentication

TOTP via speakeasy, 30-second step, verification window ±1 step.

Backup codes

  • Generated automatically on first 2FA enable (10 codes, 10 characters, XXXXX-XXXXX format, excluded-characters alphabet: no 0/O/1/I).
  • Stored as bcrypt hashes in users.totp_backup_codes (JSON array).
  • Consumed atomically on login via SELECT … FOR UPDATE transaction — race between parallel attempts serializes correctly, a code can only succeed once.
  • POST /api/auth/2fa/backup-codes regenerates the full set (requires current password). GET /api/auth/2fa/backup-codes/count returns remaining count.
  • Consumed codes are also logged in audit_log (2fa_backup_code_used).
  • Cleared when 2FA is disabled.

OIDC (Authorization Code + PKCE)

  • Implemented with openid-client.
  • State + PKCE verifier + nonce are bundled into an HMAC-signed token (signed with JWT_SECRET) — stateless, survives restarts and scales horizontally. 5-minute TTL.
  • SSRF guard: issuer URL must use https:// and not resolve to any private / loopback / link-local IP. Blocks attacks like issuer set to http://169.254.169.254/ (AWS metadata).
  • First-time link: requires email_verified: true claim from the IdP. Missing or false → 401 with error=email_unverified. Prevents an unverified-email SSO account from taking over an existing local account.
  • Already-linked users with a DIFFERENT oidc_sub are refused (error=sub_mismatch).
  • Auto-create on first SSO: new user row, email_verified=true, password column holds a random 32-byte hex string (not a hash). canLocalAuth=false hides password/2FA/sessions UI for these users. Server-side endpoints (/change-password, /setup-2fa) also reject with an SSO-aware message.

Providers tested: Authentik, Azure AD, Okta, Keycloak, Google, PocketID.

Logout and cross-tab sync

  • POST /api/auth/logout deletes the current session row and clears the cookie.
  • Frontend broadcasts {type:'logout'} on BroadcastChannel('pedscribe-auth'); sibling tabs drop UI and reload.
  • authFetch.js installs a global fetch interceptor; any 401 on an authenticated /api/* request triggers the same logout path.
  • Service-worker caches are cleared on every logout (caches.keys()caches.delete).

Rate limits

Endpoint Limit
/api/* general 200 req / min / IP
/api/auth/login 10 / 15 min
/api/auth/register 5 / hour
/api/auth/forgot-password 5 / hour
/api/auth/resend-verification 3 / 15 min
/api/auth/change-password, /setup-2fa, /verify-2fa, /disable-2fa 20 / 15 min

Limits are per-IP (express-rate-limit). A clinic behind a single NAT shares the bucket; increase or switch to per-user keying if that becomes a problem.

Login enumeration resistance

/api/auth/login returns "Invalid credentials" for:

  • unknown email (runs a bcrypt compare against a fixed dummy hash to equalize timing)
  • wrong password
  • disabled account

"Email not verified" is still returned for unverified accounts — deemed a necessary UX tradeoff over perfect indistinguishability.

Turnstile (Cloudflare bot protection)

Applied to /api/auth/login, /register, /forgot-password when TURNSTILE_SECRET_KEY is set. No-op when unset (dev mode).

Encryption at rest

src/utils/crypto.js provides AES-256-GCM helpers. Key loaded from DATA_ENCRYPTION_KEY env var (64 hex chars = 32 bytes; any other string is SHA-256-derived with a warning). In production mode the server refuses to start without it.

Data Encryption
Nextcloud access tokens (users.nextcloud_token) AES-256-GCM via encryptString; legacy plaintext rows are detected and re-encrypted on next use
Audio backups (audio_backups.audio_data) Gzipped, then AES-256-GCM with a 0x01 version byte prefix; legacy rows (no prefix) pass through unchanged
PHI in audit details Redacted via src/utils/redact.js (SSN, phone, email, DoB regex patterns; 500-char cap; note-body heuristic truncation) before insert

HTTP security headers

Helmet defaults plus:

  • Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
  • Content-Security-Policy:
    • script-src 'self' 'wasm-unsafe-eval' 'unsafe-eval' cdn.jsdelivr.net cdnjs.cloudflare.com challenges.cloudflare.com (unsafe-eval is required by @xenova/transformers for in-browser Whisper)
    • script-src-attr 'none' (blocks inline event handlers)
    • frame-src 'self' challenges.cloudflare.com
    • object-src 'none'
  • X-Content-Type-Options: nosniff
  • Response bodies on 5xx use generic 'Request failed'; full error stays server-side in logger.error / Loki.

File uploads

src/routes/documents.js accepts document uploads after:

  1. Extension / MIME check.
  2. Magic-byte sniff via src/utils/fileType.js — refuses mismatches (e.g., a .jpg with a PHP payload).

CORS

  • Production (NODE_ENV=production or APP_URL set): refuses to start if neither APP_URL nor CORS_ORIGINS is configured.
  • Origin whitelist = union of APP_URL and comma-separated CORS_ORIGINS.
  • Requests with no Origin header always pass (mobile, curl, server-to-server).
  • credentials: true so the cookie travels on cross-origin web requests from permitted origins.

Roles

Role Access
admin Everything. First registered user auto-promoted.
moderator Learning Hub CMS + standard user features.
user Clinical features, no admin routes.

Audit logging

Every auth-adjacent event is written to audit_log via a batched writer (src/utils/auditQueue.js) — 1-second flush interval or 50-entry batch. Drained on SIGTERM before pool close. Sent to Loki in parallel (fire-and-forget).

Common action values: register, login, login_failed, login_blocked, login_oidc, logout, email_verified, password_changed, password_reset, 2fa_enabled, 2fa_backup_code_used, 2fa_backup_codes_regenerated, oidc_linked, session_idle_timeout.

Maintenance

scripts/maintenance.js:

  • npm run maint:check — reports collation drift, row counts, index list
  • npm run maint:reindexREINDEX DATABASE + ALTER DATABASE … REFRESH COLLATION VERSION + ANALYZE

Run after any Postgres image upgrade. The startup drift check runs this automatically when pg_database.datcollversion diverges from the library's actual version.