adminbruno
/
docuseal
mirror of https://github.com/docusealco/docuseal
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '984d36aea2'
${ noResults }
docuseal/docs/architecture/security-integration.md

45 lines
2.1 KiB
Raw Blame History

# Security Integration
## Existing Security Measures
**Authentication:** Devise with database_authenticatable, 2FA support, JWT tokens
**Authorization:** Cancancan with `Ability` class, role-based via `AccountAccess`
**Data Protection:** Encrypted fields, secure file storage, CSRF protection
**Security Tools:** Devise security extensions, input validation, secure headers
## Enhancement Security Requirements
**New Security Measures:**
- **Token-based Sponsor Access:** Unique tokens for sponsor portal (not JWT)
- **Institution Isolation:** Ensure strict data separation between institutions
- **Role Validation:** Portal-specific role checks at controller level
- **Document Access Control:** Verify enrollment ownership before document access
- **Bulk Operation Limits:** Rate limiting for sponsor bulk signing
**Integration Points:**
- **Authentication:** Extend existing Devise setup with cohort-specific roles
- **Authorization:** Add cohort permissions to existing Cancancan abilities
- **Data Protection:** Apply existing encryption to new sensitive fields
- **Session Management:** Use existing session handling for portal access
**Compliance Requirements:**
- **South African Regulations:** Electronic signature compliance (existing HexaPDF signatures)
- **Data Privacy:** POPIA compliance for student personal data (existing GDPR patterns)
- **Audit Trail:** Document verification actions logged (extends existing audit capabilities)
## Security Testing
**Existing Security Tests:** Devise security tests, API authentication tests
**New Security Test Requirements:**
- **Portal Access Control:** Test role-based portal access
- **Institution Isolation:** Test cross-institution data access prevention
- **Token Security:** Test sponsor token generation, expiration, reuse prevention
- **Bulk Operation Security:** Test rate limiting and abuse prevention
**Penetration Testing:**
- **Scope:** New cohort endpoints and portal authentication
- **Focus:** Token-based sponsor access, institution isolation, bulk operations
- **Tools:** Existing security scanning tools, OWASP ZAP for API testing
---
Reference in new issue View Git Blame Copy Permalink