Skip to main content

Security & Authentication

The platform uses a robust security model combining Stateful Session Authentication (via JWT or Opaque tokens) and Role-Based Access Control (RBAC).

Authentication Strategy

The authentication flow is handled by AuthService.

Login: User posts email/password.
Verification: Password is verified against the hashed entry in users table.
Token Issuance: An AdonisJS Auth Token is generated and returned to the client.
2FA (Optional): If enabled, 2faService generates a TOTP code that must be verified before full access is granted.

Authorization (RBAC)

We use a strict tailored RBAC system.

Data Model

User: The entity logging in.
Role: A named collection of permissions (e.g., "Stable Admin", "Trainer", "Viewer").
- Has a color attribute for UI badging.
Permission: A granular capability ID (e.g., camera:view, camera:edit, user:create).

Implementation Details

Pivot Table: role_permissions links Roles to Permissions.
Scope Service: PermissionScopeService is responsible for checking if a User has the required permission for a specific resource (e.g., "Can User A view Camera B?"). It handles the ownership hierarchy (Company -> Site -> User).

API Security

Middleware: Most routes are protected by auth middleware.
Rate Limiting: Applied to sensitive endpoints (Login, Reset Password) to prevent brute-force attacks.

Authentication Strategy
Authorization (RBAC)
- Data Model
- Implementation Details
API Security