Authentication & Security¶
The Stratpoint Timesheet Application implements a comprehensive security framework designed to protect sensitive employee and business data while providing seamless user experience. This section details the authentication mechanisms, authorization systems, and security measures implemented throughout the application.
Authentication Architecture¶
Current Authentication Implementation¶
The system currently uses JWT-based authentication with email/password credentials:
graph TB
A[User Login Request] --> B[Email/Password Validation]
B --> C[Database User Lookup]
C --> D[Generate JWT Token]
D --> E[Return Token + User Data]
E --> F[Client Storage]Note: SSO infrastructure exists in the codebase (BrewerySsoService) but is not currently active or deployed.
JWT Token-Based Authentication¶
Token Structure:
{
"header": {
"typ": "JWT",
"alg": "HS256"
},
"payload": {
"sub": "user_id",
"iat": "issued_at",
"exp": "expiration",
"pinasukan": "app_source",
"orasPumasok": "login_time"
},
"signature": "encrypted_signature"
}
Token Management: - Automatic token refresh before expiration - Secure token storage in HTTP-only cookies - Token revocation on logout - Cross-tab session synchronization
SSO Implementation Status¶
Future Development: - SSO infrastructure (BrewerySsoService) exists but is not active - Configuration exists in config/timesheet.php - Ready for future implementation when business requirements demand it
SSO Configuration (prepared but inactive):
'sso' => [
'adapterUrl' => env('ADAPTER_URL'),
'authRealm' => env('AUTH_REALM'),
'authServerUrl' => env('AUTH_SERVER_URL'),
'authClientId' => env('AUTH_CLIENT_ID'),
'secret' => env('SSO_SECRET'),
'key' => env('SSO_KEY'),
]
Authorization System¶
Role-Based Access Control (RBAC)¶
The application implements a comprehensive RBAC system:
graph TB
A[User] --> B[Role Assignment]
B --> C[Role]
C --> D[Permission Set]
D --> E[Individual Permissions]
E --> F[Resource Access]
G[Hierarchical Approvers] --> H[Approval Authority]
H --> I[Approval Scope]
A --> GRole Structure: - Super Admin: Full system access - Admin: Administrative functions - Finance: Financial data access - Project Manager: Project management capabilities - Resource Manager: Team and resource management - Delivery Head: Delivery oversight - Employee: Basic user functions
Permission System¶
Permission Categories: - CRUD Operations: Create, Read, Update, Delete permissions for entities - Functional Permissions: Access to specific features and reports - Data Permissions: Access to sensitive data fields - Administrative Permissions: System configuration and user management
Permission Implementation:
class User extends BaseModel
{
public function hasPermission($permissionId)
{
$permissions = explode(',', $this->permission_ids);
return in_array($permissionId, $permissions);
}
public function canApprove($resourceType, $resourceId)
{
// Check approval authority based on hierarchy
return $this->checkApprovalHierarchy($resourceType, $resourceId);
}
}
Hierarchical Approval System¶
Approval Hierarchy:
graph TB
A[Employee] --> B[Direct Supervisor]
B --> C[Department Manager]
C --> D[Division Head]
D --> E[Executive Leadership]
F[Project Team Member] --> G[Project Manager]
G --> H[Delivery Head]
H --> I[Business Unit Head]Approval Workflows: - Timesheet approvals - Leave request approvals - Project assignment approvals - Budget and expense approvals
Security Measures¶
Data Protection¶
Encryption at Rest:
use App\Http\Traits\EncryptableTrait;
class ProjectUser extends BaseModel
{
use EncryptableTrait;
protected $encryptable = [
'hourlySalary',
'sensitiveFinancialData'
];
}
Encryption in Transit: - HTTPS/TLS encryption for all communications - Certificate-based authentication - Secure API endpoints
Input Validation and Sanitization¶
Request Validation:
class TimelogRequest extends FormRequest
{
public function rules()
{
return [
'startTime' => 'required|date|before_or_equal:now',
'stopTime' => 'required|date|after:startTime',
'description' => 'required|string|max:1000|regex:/^[a-zA-Z0-9\s\-\.,!?]+$/',
'spentHours' => 'required|numeric|min:0.25|max:24'
];
}
public function sanitize()
{
$input = $this->all();
$input['description'] = strip_tags($input['description']);
$this->replace($input);
}
}
SQL Injection Prevention: - Eloquent ORM with parameterized queries - Input sanitization and validation - Prepared statements for raw queries
XSS Protection: - Output encoding and escaping - Content Security Policy (CSP) headers - Input sanitization
API Security¶
Rate Limiting:
Route::group(['middleware' => ['throttle:100,1']], function () {
// API routes with rate limiting
});
CORS Configuration:
'cors' => [
'paths' => ['api/*'],
'allowed_methods' => ['GET', 'POST', 'PUT', 'DELETE'],
'allowed_origins' => ['https://timesheet.stratpoint.com'],
'allowed_headers' => ['Content-Type', 'Authorization'],
'max_age' => 86400,
]
API Authentication:
class MyGetUserFromToken extends Authenticate
{
public function handle($request, \Closure $next)
{
// Current Implementation (JWT only)
$result = $this->authUsingJWT($request);
// Note: SSO authentication code exists but is not active:
// if ($authMethod == 'brewerySso') {
// $result = BrewerySsoService::authenticate($request);
// }
// Validate and proceed
return $next($request);
}
}
Application Source Validation¶
App Source Security:
class AuthAppBulongOnly
{
public function handle($request, \Closure $next, $appName = null)
{
$sourceApp = $request->galingsa;
$sourceAppToken = $request->bulong;
// Decrypt and validate source
$decryptedText = $this->decryptParam($sourceApp, $sourceAppToken);
// Validate time range and source
if (!$this->validateSourceAndTime($decryptedText)) {
return response()->json(['error' => 'Invalid source'], 401);
}
return $next($request);
}
}
Security Monitoring¶
Audit Logging¶
Comprehensive Audit Trail:
class AuditLog extends BaseModel
{
protected $fillable = [
'user_id',
'action',
'model_type',
'model_id',
'old_values',
'new_values',
'ip_address',
'user_agent',
'created_at'
];
public static function logActivity($action, $model, $oldValues = null, $newValues = null)
{
self::create([
'user_id' => auth()->id(),
'action' => $action,
'model_type' => get_class($model),
'model_id' => $model->id,
'old_values' => json_encode($oldValues),
'new_values' => json_encode($newValues),
'ip_address' => request()->ip(),
'user_agent' => request()->userAgent()
]);
}
}
Access Logging¶
Request Logging Middleware:
class LogAccess
{
public function handle($request, \Closure $next, $appSource)
{
$logData = [
'app_source' => $appSource,
'ip_address' => $request->ip(),
'user_agent' => $request->userAgent(),
'endpoint' => $request->path(),
'method' => $request->method(),
'timestamp' => now()
];
Log::info('API Access', $logData);
return $next($request);
}
}
Security Headers¶
HTTP Security Headers:
// Security headers middleware
class SecurityHeaders
{
public function handle($request, \Closure $next)
{
$response = $next($request);
$response->headers->set('X-Content-Type-Options', 'nosniff');
$response->headers->set('X-Frame-Options', 'DENY');
$response->headers->set('X-XSS-Protection', '1; mode=block');
$response->headers->set('Strict-Transport-Security', 'max-age=31536000; includeSubDomains');
$response->headers->set('Content-Security-Policy', "default-src 'self'");
return $response;
}
}
Session Management¶
Session Security¶
Session Configuration:
'session' => [
'driver' => 'redis',
'lifetime' => 120,
'expire_on_close' => true,
'encrypt' => true,
'files' => storage_path('framework/sessions'),
'connection' => 'session',
'table' => 'sessions',
'store' => null,
'lottery' => [2, 100],
'cookie' => 'timesheet_session',
'path' => '/',
'domain' => '.stratpoint.com',
'secure' => true,
'http_only' => true,
'same_site' => 'strict',
]
Multi-Tab Session Synchronization¶
Session Synchronization:
// Frontend session management
StratpointTSApp.factory('SessionSync', function($window, $rootScope) {
return {
syncSessions: function() {
// Synchronize tokens across browser tabs
if ($window.localStorage['timesheet.user']) {
var user = JSON.parse($window.localStorage['timesheet.user']);
$rootScope.currentToken = user.access_token;
}
}
};
});
Compliance and Privacy¶
Data Privacy¶
GDPR Compliance: - Data minimization principles - User consent management - Right to data portability - Right to be forgotten
Data Retention:
// Automated data cleanup
class DataRetentionJob implements ShouldQueue
{
public function handle()
{
// Remove old audit logs
AuditLog::where('created_at', '<', now()->subYears(7))->delete();
// Archive old timelogs
Timelog::where('created_at', '<', now()->subYears(5))
->update(['archived' => true]);
}
}
Regulatory Compliance¶
Audit Requirements: - Complete audit trails for all data changes - User access logging - Data export capabilities - Compliance reporting
This comprehensive security framework ensures that the Stratpoint Timesheet Application maintains the highest standards of data protection and user privacy while providing secure access to authorized users and systems.