You cannot select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
131 lines
10 KiB
Markdown
131 lines
10 KiB
Markdown
# Know Foolery - Security Architecture
|
|
|
|
## Security Overview
|
|
|
|
Know Foolery implements a comprehensive security strategy that addresses authentication, authorization, data protection, application security, and compliance requirements. This document outlines security measures implemented across all system components.
|
|
|
|
|
|
## Security Detailed Requirements
|
|
|
|
### Authentication & Authorization
|
|
- **OAuth 2.0/OIDC**: Industry-standard authentication via Zitadel
|
|
- **JWT Tokens**: Secure token-based authentication with short expiration
|
|
- **MFA**: Multi-factor authentication required for admin accounts
|
|
- **Role-Based Access**: Granular permissions (player, admin roles)
|
|
|
|
### Data Security
|
|
- **Encryption**: AES-256 encryption for sensitive data at rest
|
|
- **TLS**: All communications encrypted in transit
|
|
- **Input Validation**: Comprehensive sanitization against XSS/injection
|
|
- **SQL Injection**: Prevention through parameterized queries (Ent)
|
|
|
|
### Application Security
|
|
- **Rate Limiting**: Per-user and global rate limits
|
|
- **CORS**: Strict cross-origin resource sharing policies
|
|
- **Security Headers**: CSP, HSTS, X-Frame-Options implementation
|
|
- **Audit Logging**: Comprehensive logging of security events
|
|
|
|
### Game Integrity
|
|
- **Server-Side Validation**: All game logic validated on backend
|
|
- **Anti-Cheating**: Session state verification and tampering detection
|
|
- **Score Validation**: Server-side score calculation and verification
|
|
|
|
|
|
## Security Architecture
|
|
|
|
### Defense in Depth Strategy
|
|
|
|
```
|
|
┌──────────────────────────────────────────────────────────────────────────┐
|
|
│ Security Layers │
|
|
│ │
|
|
│ ┌─────────────────────────────────────────────────────────────────────┐ │
|
|
│ │ Perimeter Security │ │
|
|
│ │ WAF • DDoS Protection • Rate Limiting • IP Filtering │ │
|
|
│ └─────────────────────────────────────────────────────────────────────┘ │
|
|
│ │ │
|
|
│ ┌─────────────────────────────────────────────────────────────────────┐ │
|
|
│ │ Application Security │ │
|
|
│ │ HTTPS • CORS • CSP • Security Headers • Input Validation │ │
|
|
│ └─────────────────────────────────────────────────────────────────────┘ │
|
|
│ │ │
|
|
│ ┌─────────────────────────────────────────────────────────────────────┐ │
|
|
│ │ Authentication & Authorization │ │
|
|
│ │ OAuth 2.0 • JWT • MFA • RBAC • Session Management │ │
|
|
│ └─────────────────────────────────────────────────────────────────────┘ │
|
|
│ │ │
|
|
│ ┌─────────────────────────────────────────────────────────────────────┐ │
|
|
│ │ Data Security │ │
|
|
│ │ Encryption at Rest • TLS • Field Encryption • Anonymization │ │
|
|
│ └─────────────────────────────────────────────────────────────────────┘ │
|
|
│ │ │
|
|
│ ┌─────────────────────────────────────────────────────────────────────┐ │
|
|
│ │ Infrastructure Security │ │
|
|
│ │ Container Security • Network Segmentation • Secrets Management │ │
|
|
│ └─────────────────────────────────────────────────────────────────────┘ │
|
|
└──────────────────────────────────────────────────────────────────────────┘
|
|
```
|
|
|
|
### Zitadel Integration Architecture
|
|
|
|
#### Overview
|
|
|
|
Zitadel serves as the self-hosted OAuth 2.0/OpenID Connect authentication provider for Know Foolery, providing secure authentication for both players and administrators while maintaining complete control over user data and authentication flows.
|
|
|
|
#### Zitadel Deployment Architecture
|
|
```
|
|
┌─────────────────────────────────────────────────────────────────────┐
|
|
│ Client Applications │
|
|
│ ┌─────────────┐ ┌─────────────┐ ┌─────────────┐ ┌─────────────┐ │
|
|
│ │ Web App │ │ Mobile iOS │ │Mobile Android│ │Desktop Wails│ │
|
|
│ └─────────────┘ └─────────────┘ └─────────────┘ └─────────────┘ │
|
|
└─────────────────────────────────────────────────────────────────────┘
|
|
│
|
|
OAuth 2.0/OIDC Flows
|
|
│
|
|
┌─────────────────────────────────────────────────────────────────────┐
|
|
│ API Gateway │
|
|
│ ┌────────────────────────────────────────────────────────────────┐ │
|
|
│ │ JWT Validation Middleware │ │
|
|
│ │ • Token signature verification │ │
|
|
│ │ • Claims validation & role extraction │ │
|
|
│ │ • Token refresh handling │ │
|
|
│ └────────────────────────────────────────────────────────────────┘ │
|
|
└─────────────────────────────────────────────────────────────────────┘
|
|
│
|
|
Validated Requests
|
|
│
|
|
┌─────────────────────────────────────────────────────────────────────┐
|
|
│ Microservices Layer │
|
|
│ (Receives user context from JWT claims) │
|
|
└─────────────────────────────────────────────────────────────────────┘
|
|
│
|
|
Zitadel Admin API
|
|
│
|
|
┌─────────────────────────────────────────────────────────────────────┐
|
|
│ Zitadel Instance │
|
|
│ ┌─────────────┐ ┌─────────────┐ ┌─────────────┐ ┌─────────────┐ │
|
|
│ │ OAuth │ │ Admin API │ │ PostgreSQL │ │ OIDC │ │
|
|
│ │ Provider │ │ │ │ Database │ │ Discovery │ │
|
|
│ └─────────────┘ └─────────────┘ └─────────────┘ └─────────────┘ │
|
|
└─────────────────────────────────────────────────────────────────────┘
|
|
```
|
|
### Authentication Flow
|
|
```mermaid
|
|
sequenceDiagram
|
|
participant C as Client
|
|
participant G as API Gateway
|
|
participant Z as Zitadel
|
|
participant S as Service
|
|
|
|
C->>G: Request with credentials
|
|
G->>Z: Validate credentials
|
|
Z->>G: Return JWT token
|
|
G->>C: Return token + user info
|
|
C->>G: API request with JWT
|
|
G->>G: Validate JWT signature
|
|
G->>S: Forward request with user context
|
|
S->>G: Return response
|
|
G->>C: Return response
|
|
```
|