This document describes the security enhancements implemented in the PropChain authentication system to strengthen security and remove insecure console logging.
- Issue: Sensitive information (tokens, emails) was exposed in production logs
- Solution: Replaced all
console.logstatements with structured logging usingStructuredLoggerService - Files Modified:
src/auth/auth.service.ts
- Issue: JWT tokens couldn't be revoked once issued
- Solution: Implemented token blacklisting using Redis with automatic TTL expiration
- Features:
- Blacklist tokens on logout with proper TTL
- JWT guard checks blacklisted tokens
- Automatic cleanup of expired blacklisted tokens
- Files Modified:
src/auth/auth.service.tssrc/auth/guards/jwt-auth.guard.tssrc/auth/auth.controller.ts
- Issue: No protection against password guessing attacks
- Solution: Implemented login attempt tracking with account locking
- Features:
- Track failed attempts by email and IP address
- Lock accounts after configurable number of failed attempts
- Automatic lockout expiration
- Exponential backoff for repeated failures
- Files Created:
src/auth/guards/login-attempts.guard.ts - Files Modified:
src/auth/auth.controller.tssrc/auth/auth.module.ts
- Issue: Weak password requirements and no validation
- Solution: Implemented comprehensive password validation and security policies
- Features:
- Configurable password strength requirements
- Password pattern validation (length, special chars, numbers, uppercase)
- Common password pattern detection
- Configurable bcrypt rounds
- Files Created:
src/common/validators/password.validator.ts
- Files Modified:
src/users/user.service.tssrc/users/users.module.tssrc/config/configuration.tssrc/config/interfaces/joi-schema-config.interface.ts
- Issue: No proper session tracking or management
- Solution: Implemented Redis-based session management
- Features:
- Track active sessions per user
- Session timeout configuration
- API endpoints for session management
- Concurrent session limiting
- Files Modified:
src/auth/auth.service.tssrc/auth/auth.controller.ts
- Issue: No additional authentication factors beyond password
- Solution: Implemented TOTP-based MFA with backup codes
- Features:
- TOTP (Time-based One-Time Password) support
- QR code generation for authenticator apps
- Backup codes for recovery
- MFA status management
- API endpoints for MFA setup and management
- Files Created:
src/auth/mfa/mfa.service.tssrc/auth/mfa/mfa.controller.tssrc/auth/mfa/mfa.module.tssrc/auth/mfa/index.ts
# Password Security
PASSWORD_MIN_LENGTH=12
PASSWORD_REQUIRE_SPECIAL_CHARS=true
PASSWORD_REQUIRE_NUMBERS=true
PASSWORD_REQUIRE_UPPERCASE=true
PASSWORD_HISTORY_COUNT=5
PASSWORD_EXPIRY_DAYS=90
# Authentication Security
JWT_BLACKLIST_ENABLED=true
LOGIN_MAX_ATTEMPTS=5
LOGIN_LOCKOUT_DURATION=900
SESSION_TIMEOUT=3600
MFA_ENABLED=true
MFA_CODE_EXPIRY=300
# Security
BCRYPT_ROUNDS=12
SESSION_SECRET=your-session-secret-key-change-this-in-productionPOST /auth/login- Login with email/password (protected by brute force guard)POST /auth/web3-login- Web3 wallet loginPOST /auth/logout- Logout and blacklist current tokenPOST /auth/refresh-token- Refresh access tokenPOST /auth/register- Register new userPOST /auth/forgot-password- Request password resetPUT /auth/reset-password- Reset password with tokenGET /auth/verify-email/:token- Verify email address
GET /auth/sessions- Get all active sessionsDELETE /auth/sessions/:sessionId- Invalidate specific sessionDELETE /auth/sessions- Invalidate all sessions
POST /mfa/setup- Generate MFA setup QR codePOST /mfa/verify- Verify and complete MFA setupGET /mfa/status- Get MFA statusDELETE /mfa/disable- Disable MFAPOST /mfa/backup-codes- Generate new backup codesPOST /mfa/verify-backup- Verify backup code
test/auth/mfa.service.spec.ts- MFA service unit tests- Password validation tests in user service tests
test/auth/security.e2e-spec.ts- Comprehensive security tests including:- Token blacklisting
- Brute force protection
- Password security validation
- Session management
# Login Attempts
login_attempts:{email} -> {count} (expires after lockout duration)
login_attempts:ip:{ip} -> {count} (expires after lockout duration)
# Token Blacklisting
blacklisted_token:{jti} -> {userId} (expires with token TTL)
# Active Sessions
active_session:{userId}:{jti} -> {sessionData} (expires with session TTL)
# MFA Data
mfa_setup:{userId} -> {secret} (temporary, expires after setup timeout)
mfa_secret:{userId} -> {secret} (permanent MFA secret)
mfa_backup_codes:{userId} -> {codesArray} (expires after 12 hours)
mfa_verified:{userId}:{token} -> {1} (prevents replay attacks, expires after timeout)
- Never log sensitive data - All sensitive information is filtered from logs
- Proper token invalidation - Tokens can be blacklisted and revoked
- Rate limiting - Prevents brute force attacks
- Strong password requirements - Configurable password policies
- Session management - Track and control active sessions
- Multi-factor authentication - Additional security layer
- Secure configuration - Environment-based security settings
- Comprehensive testing - Unit and integration tests for security features
- Environment Configuration: Ensure proper environment variables are set in production
- Redis Configuration: Configure Redis with appropriate persistence and security settings
- Monitoring: Set up monitoring for security events and failed login attempts
- Backup Codes: Ensure users store MFA backup codes securely
- Regular Audits: Periodically review security logs and configurations
- IP-based restrictions - Allow/deny lists for specific IP ranges
- Device fingerprinting - Track and verify user devices
- Adaptive authentication - Risk-based authentication decisions
- Security headers - Implement additional HTTP security headers
- Audit logging - Comprehensive security event logging
- Compliance reporting - Generate security compliance reports