adminbruno
/
docuseal
mirror of https://github.com/docusealco/docuseal
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '984d36aea2'
${ noResults }
docuseal/docs/architecture/security-integration.md

2.1 KiB
Raw Blame History

Security Integration

Existing Security Measures

Authentication: Devise with database_authenticatable, 2FA support, JWT tokens Authorization: Cancancan with Ability class, role-based via AccountAccess Data Protection: Encrypted fields, secure file storage, CSRF protection Security Tools: Devise security extensions, input validation, secure headers

Enhancement Security Requirements

New Security Measures:

  • Token-based Sponsor Access: Unique tokens for sponsor portal (not JWT)
  • Institution Isolation: Ensure strict data separation between institutions
  • Role Validation: Portal-specific role checks at controller level
  • Document Access Control: Verify enrollment ownership before document access
  • Bulk Operation Limits: Rate limiting for sponsor bulk signing

Integration Points:

  • Authentication: Extend existing Devise setup with cohort-specific roles
  • Authorization: Add cohort permissions to existing Cancancan abilities
  • Data Protection: Apply existing encryption to new sensitive fields
  • Session Management: Use existing session handling for portal access

Compliance Requirements:

  • South African Regulations: Electronic signature compliance (existing HexaPDF signatures)
  • Data Privacy: POPIA compliance for student personal data (existing GDPR patterns)
  • Audit Trail: Document verification actions logged (extends existing audit capabilities)

Security Testing

Existing Security Tests: Devise security tests, API authentication tests New Security Test Requirements:

  • Portal Access Control: Test role-based portal access
  • Institution Isolation: Test cross-institution data access prevention
  • Token Security: Test sponsor token generation, expiration, reuse prevention
  • Bulk Operation Security: Test rate limiting and abuse prevention

Penetration Testing:

  • Scope: New cohort endpoints and portal authentication
  • Focus: Token-based sponsor access, institution isolation, bulk operations
  • Tools: Existing security scanning tools, OWASP ZAP for API testing