Logo
Typus©

Security Model

Last Updated: May 19, 2025

This document describes the security architecture of the Typus Development Framework, outlining the components, patterns, and practices that ensure the security of applications built with the framework.

Security Architecture Overview

The Typus Development Framework implements a multi-layered security architecture that protects applications at various levels:

Security Monitoring

Client Browser

TLS/HTTPS

API Gateway

Authentication Layer

Authorization Layer

Input Validation

Business Logic

Data Access Layer

Data Encryption

Database

Audit Logging

Security Monitoring

Authentication System

The authentication system verifies the identity of users and services accessing the application.

Authentication Components

OAuth Integration

Multi-factor Authentication

Login Request

Auth Controller

Credential Validation

User Service

User Database

JWT Service

Access & Refresh Tokens

Client Storage

API Request

Auth Middleware

Token Validation

MFA Service

TOTP Generator

Email Verification

OAuth Service

Google Provider

GitHub Provider

Authentication Flow

User DatabaseUser ServiceJWT ServiceAuth APIFrontend LayerClient BrowserUser DatabaseUser ServiceJWT ServiceAuth APIFrontend LayerClient Browseralt[Valid Credentials][Invalid Credentials]alt[Valid Refresh Token][Invalid Refresh Token]alt[Valid Access Token][Expired Access Token]Login RequestAuthentication RequestValidate CredentialsQuery UserUser DataValidation ResultGenerate TokensAccess & Refresh TokensAuthentication Success + TokensStore TokensLogin SuccessAuthentication FailedLogin FailedAccess Protected ResourceRequest with Access TokenValidate Access TokenToken ValidResource DataDisplay ResourceValidate Access TokenToken ExpiredToken ExpiredRefresh Token RequestValidate Refresh TokenValidation ResultGenerate New TokensNew Access & Refresh TokensNew TokensStore New TokensRetry RequestResource DataDisplay ResourceAuthentication RequiredRedirect to Login

JWT Token Structure

The framework uses JWT (JSON Web Tokens) for authentication with the following structure:

Access Token Payload:

{
  "sub": "user_id",
  "name": "username",
  "email": "[email protected]",
  "roles": ["user", "admin"],
  "permissions": ["read:users", "write:users"],
  "iat": 1619712000,
  "exp": 1619715600,
  "iss": "typus-auth"
}

Refresh Token Payload:

{
  "sub": "user_id",
  "jti": "unique_token_id",
  "iat": 1619712000,
  "exp": 1620316800,
  "iss": "typus-auth"
}

Multi-factor Authentication

The framework supports multiple MFA methods:

  1. Time-based One-Time Password (TOTP): Compatible with authenticator apps
  2. Email Verification: One-time codes sent via email
  3. SMS Verification: One-time codes sent via SMS (optional)

Authorization System

The authorization system controls access to resources and operations based on user roles and permissions.

Role-Based Access Control (RBAC)

Role Hierarchy

Permission Types

Create Permission

Read Permission

Update Permission

Delete Permission

User Role

Roles

Permissions

Resources

Admin Role

Editor Role

Guest Role

Authorization Flow

Resource ControllerRBAC ServiceAuth MiddlewareAPI GatewayFrontend LayerClient BrowserResource ControllerRBAC ServiceAuth MiddlewareAPI GatewayFrontend LayerClient Browseralt[Has Permission][No Permission]Request Protected ResourceAPI Request with JWTValidate TokenExtract User & RolesCheck PermissionPermission GrantedAuthorization SuccessfulProcess RequestResource DataSuccess ResponseDisplay ResourcePermission DeniedAuthorization Failed403 ForbiddenAccess Denied Message

Permission Enforcement

The framework enforces permissions at multiple levels:

  1. Route Level: Using middleware to protect API endpoints
  2. Controller Level: Using decorators to protect controller methods
  3. Service Level: Using programmatic checks in service methods
  4. UI Level: Conditionally rendering UI elements based on permissions

Data Protection

The framework implements multiple layers of data protection to secure sensitive information.

Data Encryption

Sensitive Data

Encryption in Transit

Encryption at Rest

Encryption in Use

TLS/HTTPS

Database Encryption

Field-level Encryption

File Encryption

Memory Safety Practices

Sensitive Data Handling

The framework provides utilities for handling sensitive data:

  1. Password Hashing: Using bcrypt with appropriate work factors
  2. PII Encryption: Encrypting personally identifiable information
  3. Secure Configuration: Protecting secrets and credentials
  4. Data Masking: Masking sensitive data in logs and responses

API Security

The framework implements multiple measures to secure API endpoints.

API Security Components

API Endpoint

Rate Limiting

CORS Protection

Content Security Policy

Input Validation

CSRF Protection

IP-based Limiting

User-based Limiting

Endpoint-based Limiting

Schema Validation

Input Sanitization

Type Checking

API Security Measures

  1. Rate Limiting: Prevents abuse by limiting request frequency
  2. CORS Configuration: Controls cross-origin resource sharing
  3. Content Security Policy: Prevents XSS and data injection attacks
  4. Input Validation: Validates and sanitizes all input data
  5. CSRF Protection: Prevents cross-site request forgery attacks

Security Monitoring and Auditing

The framework includes comprehensive monitoring and auditing capabilities.

Security Monitoring Components

Application

Audit Logging

Error Logging

Security Events

User Actions

System Changes

Data Access

Authentication Events

Authorization Events

Anomaly Detection

Log Storage

Log Analysis

Security Alerts

Security Reports

Audit Logging

The framework logs security-relevant events with the following information:

  1. Who: User identifier
  2. What: Action performed
  3. When: Timestamp
  4. Where: Source (IP, device)
  5. How: Method used
  6. Status: Success or failure
  7. Target: Resource affected

Secure Development Practices

The framework promotes secure development practices through its architecture and tooling.

Security by Design

Security by Design

Secure Defaults

Secure Patterns

Security Testing

Authentication Enabled

HTTPS Only

Security Headers

Input Validation

Output Encoding

Parameterized Queries

Static Analysis

Dependency Scanning

Penetration Testing

Security Testing

The framework includes tools and patterns for security testing:

  1. Static Analysis: Identifying security issues in code
  2. Dependency Scanning: Checking for vulnerable dependencies
  3. Security Unit Tests: Testing security controls
  4. Penetration Testing: Identifying vulnerabilities in running applications

Vulnerability Protection

The framework includes protections against common vulnerabilities.

OWASP Top 10 Protections

Vulnerability Protection Mechanism
Injection Parameterized queries, input validation, ORM
Broken Authentication Secure authentication system, MFA, account lockout
Sensitive Data Exposure Encryption, data classification, secure transmission
XML External Entities Safe XML parsing, input validation
Broken Access Control RBAC, principle of least privilege, authorization checks
Security Misconfiguration Secure defaults, configuration validation
Cross-Site Scripting Output encoding, Content Security Policy
Insecure Deserialization Safe deserialization practices, input validation
Using Components with Known Vulnerabilities Dependency scanning, automatic updates
Insufficient Logging & Monitoring Comprehensive audit logging, security monitoring

Security Configuration

The framework provides flexible security configuration options while maintaining secure defaults.

Configuration Areas

  1. Authentication: Configure authentication providers, token lifetimes, MFA settings
  2. Authorization: Define roles, permissions, and access control rules
  3. Encryption: Configure encryption algorithms, key management
  4. API Security: Configure rate limiting, CORS, CSP
  5. Logging: Configure audit logging, log storage, retention

Example Security Configuration

// Security configuration example
export const securityConfig = {
  authentication: {
    jwtSecret: process.env.JWT_SECRET,
    accessTokenExpiry: '15m',
    refreshTokenExpiry: '7d',
    mfa: {
      enabled: true,
      methods: ['totp', 'email']
    },
    oauth: {
      google: {
        enabled: true,
        clientId: process.env.GOOGLE_CLIENT_ID,
        clientSecret: process.env.GOOGLE_CLIENT_SECRET
      },
      github: {
        enabled: true,
        clientId: process.env.GITHUB_CLIENT_ID,
        clientSecret: process.env.GITHUB_CLIENT_SECRET
      }
    }
  },
  authorization: {
    defaultRole: 'user',
    superAdminRole: 'superadmin',
    rbacEnabled: true
  },
  encryption: {
    algorithm: 'aes-256-gcm',
    keyRotationDays: 90
  },
  api: {
    rateLimit: {
      windowMs: 15 * 60 * 1000, // 15 minutes
      max: 100 // limit each IP to 100 requests per windowMs
    },
    cors: {
      origin: process.env.ALLOWED_ORIGINS.split(','),
      methods: ['GET', 'POST', 'PUT', 'DELETE'],
      allowedHeaders: ['Content-Type', 'Authorization']
    }
  },
  logging: {
    audit: {
      enabled: true,
      sensitiveFields: ['password', 'creditCard', 'ssn']
    }
  }
};

Security Best Practices

The framework documentation includes security best practices for developers:

  1. Authentication: Implement MFA, secure password policies, proper token handling
  2. Authorization: Follow principle of least privilege, implement proper access controls
  3. Data Protection: Encrypt sensitive data, implement proper data handling
  4. API Security: Validate all inputs, implement rate limiting, use proper error handling
  5. Secure Coding: Follow secure coding guidelines, avoid common vulnerabilities
  6. Deployment: Use secure deployment practices, implement proper security controls
  7. Monitoring: Implement comprehensive logging and monitoring

Conclusion

The security architecture of the Typus Development Framework provides a comprehensive approach to application security. By implementing multiple layers of security controls, the framework helps developers build secure applications by default while providing flexibility for specific security requirements.

The security model follows industry best practices and addresses common security concerns, including authentication, authorization, data protection, and vulnerability prevention. The framework's security components work together to provide a robust security posture for applications built with the framework.

WARNING

Failed to fetch dynamically imported module: https://typus.dev/assets/RecursiveNavItem-Cep7andh.js

{ "stack": "AppError: Failed to fetch dynamically imported module: https://typus.dev/assets/RecursiveNavItem-Cep7andh.js\n at https://typus.dev/assets/index-DS79FI73.js:315:420\n at dn (https://typus.dev/assets/vue-vendor-Ct83yDeK.js:13:1385)\n at We (https://typus.dev/assets/vue-vendor-Ct83yDeK.js:13:1455)\n at Ws.t.__weh.t.__weh (https://typus.dev/assets/vue-vendor-Ct83yDeK.js:14:7364)\n at jt (https://typus.dev/assets/vue-vendor-Ct83yDeK.js:13:1866)\n at v (https://typus.dev/assets/vue-vendor-Ct83yDeK.js:14:4019)\n at https://typus.dev/assets/vue-vendor-Ct83yDeK.js:14:4097" }