You cannot select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
9.9 KiB
9.9 KiB
Know Foolery - Security Architecture
Security Overview
Know Foolery implements a comprehensive security strategy that addresses authentication, authorization, data protection, application security, and compliance requirements. This document outlines security measures implemented across all system components.
Security Detailed Requirements
Authentication & Authorization
- OAuth 2.0/OIDC: Industry-standard authentication via Zitadel
- JWT Tokens: Secure token-based authentication with short expiration
- MFA: Multi-factor authentication required for admin accounts
- Role-Based Access: Granular permissions (player, admin roles)
Data Security
- Encryption: AES-256 encryption for sensitive data at rest
- TLS: All communications encrypted in transit
- Input Validation: Comprehensive sanitization against XSS/injection
- SQL Injection: Prevention through parameterized queries (Ent)
Application Security
- Rate Limiting: Per-user and global rate limits
- CORS: Strict cross-origin resource sharing policies
- Security Headers: CSP, HSTS, X-Frame-Options implementation
- Audit Logging: Comprehensive logging of security events
Game Integrity
- Server-Side Validation: All game logic validated on backend
- Anti-Cheating: Session state verification and tampering detection
- Score Validation: Server-side score calculation and verification
Security Architecture
Defense in Depth Strategy
┌──────────────────────────────────────────────────────────────────────────┐
│ Security Layers │
│ │
│ ┌─────────────────────────────────────────────────────────────────────┐ │
│ │ Perimeter Security │ │
│ │ WAF • DDoS Protection • Rate Limiting • IP Filtering │ │
│ └─────────────────────────────────────────────────────────────────────┘ │
│ │ │
│ ┌─────────────────────────────────────────────────────────────────────┐ │
│ │ Application Security │ │
│ │ HTTPS • CORS • CSP • Security Headers • Input Validation │ │
│ └─────────────────────────────────────────────────────────────────────┘ │
│ │ │
│ ┌─────────────────────────────────────────────────────────────────────┐ │
│ │ Authentication & Authorization │ │
│ │ OAuth 2.0 • JWT • MFA • RBAC • Session Management │ │
│ └─────────────────────────────────────────────────────────────────────┘ │
│ │ │
│ ┌─────────────────────────────────────────────────────────────────────┐ │
│ │ Data Security │ │
│ │ Encryption at Rest • TLS • Field Encryption • Anonymization │ │
│ └─────────────────────────────────────────────────────────────────────┘ │
│ │ │
│ ┌─────────────────────────────────────────────────────────────────────┐ │
│ │ Infrastructure Security │ │
│ │ Container Security • Network Segmentation • Secrets Management │ │
│ └─────────────────────────────────────────────────────────────────────┘ │
└──────────────────────────────────────────────────────────────────────────┘
Zitadel Integration Architecture
Overview
Zitadel serves as the self-hosted OAuth 2.0/OpenID Connect authentication provider for Know Foolery, providing secure authentication for both players and administrators while maintaining complete control over user data and authentication flows.
Zitadel Deployment Architecture
┌─────────────────────────────────────────────────────────────────────┐
│ Client Applications │
│ ┌─────────────┐ ┌─────────────┐ ┌─────────────┐ ┌─────────────┐ │
│ │ Web App │ │ Mobile iOS │ │Mobile Android│ │Desktop Wails│ │
│ └─────────────┘ └─────────────┘ └─────────────┘ └─────────────┘ │
└─────────────────────────────────────────────────────────────────────┘
│
OAuth 2.0/OIDC Flows
│
┌─────────────────────────────────────────────────────────────────────┐
│ API Gateway │
│ ┌────────────────────────────────────────────────────────────────┐ │
│ │ JWT Validation Middleware │ │
│ │ • Token signature verification │ │
│ │ • Claims validation & role extraction │ │
│ │ • Token refresh handling │ │
│ └────────────────────────────────────────────────────────────────┘ │
└─────────────────────────────────────────────────────────────────────┘
│
Validated Requests
│
┌─────────────────────────────────────────────────────────────────────┐
│ Microservices Layer │
│ (Receives user context from JWT claims) │
└─────────────────────────────────────────────────────────────────────┘
│
Zitadel Admin API
│
┌─────────────────────────────────────────────────────────────────────┐
│ Zitadel Instance │
│ ┌─────────────┐ ┌─────────────┐ ┌─────────────┐ ┌─────────────┐ │
│ │ OAuth │ │ Admin API │ │ PostgreSQL │ │ OIDC │ │
│ │ Provider │ │ │ │ Database │ │ Discovery │ │
│ └─────────────┘ └─────────────┘ └─────────────┘ └─────────────┘ │
└─────────────────────────────────────────────────────────────────────┘