Complete task 4 backend security architecture docs

This commit is contained in:
Siavash Sameni
2026-05-24 11:31:40 +04:00
parent 4cf5c49274
commit 6a451040d9
18 changed files with 1006 additions and 73 deletions

View File

@@ -350,6 +350,16 @@ High-risk admin actions require re-authentication. Upon successful re-authentica
8. Frontend retries the original high-risk action.
9. The action proceeds.
### Traceability to Authorization Matrix
This matrix maps to:
- `AUTH-R025` (`POST /api/auth/step-up`) for the step-up API entry point.
- `AUTH-R026` (`GET /api/auth/sessions`), `AUTH-R027` (`POST /api/auth/revoke-session`), `AUTH-R028` (`POST /api/auth/revoke-all-sessions`) for session controls.
- `APV-R001`, `APV-R002`, `APV-R003` for approval queue + confirm/reject workflow.
Status: these rows are marked **Not implemented** in the matrix while this ADR remains in planning/rollout state.
### Two-person approval flow
For actions requiring two-person approval:
@@ -659,19 +669,19 @@ If any migration step causes issues:
| Threat | Document |
|---|---|
| T01 (fake payment proof) | [[Payment Provider Adapter Spec]] (future) |
| T02 (webhook replay) | [[Webhook Security Spec]] (future) |
| T03 (arbitrary socket room join) | Realtime Authorization Spec (future) |
| T05 (double payout) | [[Funds Ledger Specification]] (future) |
| T06 (dispute bypass) | Escrow State Machine (future) |
| T01 (fake payment proof) | [[Funds Ledger and Escrow State Machine Specification]], [[Payment Provider Adapter Spec]] |
| T02 (webhook replay) | [[Webhook Security Spec]] |
| T03 (arbitrary socket room join) | [[Realtime Authorization Spec]] |
| T05 (double payout) | [[Funds Ledger and Escrow State Machine Specification]] |
| T06 (dispute bypass) | [[Funds Ledger and Escrow State Machine Specification]] |
| T07 (email abuse) | Rate limiting implementation |
| T08 (AI cost abuse) | Rate limiting + auth implementation |
| T09 (admin privilege escalation) | [[Authorization Matrix]] + step-up auth (this ADR) |
| T09 (admin privilege escalation) | [[Authorization Matrix - REST and Socket.IO]] + step-up auth (this ADR) |
| T11 (unauthenticated payment endpoints) | Auth middleware implementation |
| T12 (rate limit bypass) | Rate limiting implementation |
| T14 (supply-chain) | [[Secure Build and Supply-Chain Policy]] |
| T16 (deep-link tampering) | Telegram initData verification |
| T17 (provider outage) | Operational runbooks |
| T17 (provider outage) | [[Backend Funds Migration and Operational Runbooks]] |
| T18 (insider manipulation) | Multi-sig wallet + funds ledger + two-person approval (this ADR) |
| T19 (price manipulation) | Offer status enforcement |
| T20 (delivery brute force) | Rate limiting + code entropy |