ScaffoldHub - v2
  • Introduction
  • Modeling
    • Two-way Relationships
  • Setup
    • Backend
    • Frontend
    • File Storage
    • Emails with SendGrid
    • Payments with Stripe
  • Debugging
  • Deployment
    • Database
      • SQL
      • MongoDB
    • Backend
      • Google Cloud - App Engine
      • Google Cloud - Run
      • Under construction...
    • Frontend
      • Firebase Hosting
      • Heroku w/ Subdomains
      • Under construction...
  • Features
    • Projects
    • Preview
    • Tenants
      • Single-Tenant
      • Multi-Tenant
      • Multi-Tenant (w/ subdomains)
    • Payments
    • Security
    • Authentication
      • Sign-in and Sign-up
      • Invitation
      • Password Reset
      • Password Change
      • Email Verification
    • Audit Logs
    • Settings
    • Internationalization (I18n)
    • Entity
      • Form
      • Filter and List
      • Export
      • Import
    • API Documentation
  • Architecture
    • Security
    • File Storage
    • Internationalization (I18n)
    • Payments
    • Typescript Support
    • Rate limiting
    • Technologies Versions
    • Under construction...
  • Recipes
    • Testing the API with Postman
    • Enterprise sign-in with WorkOS
    • Under construction...
  • Support
  • Changelog
    • Documentation
    • Scaffolds
  • Custom Development
  • Legacy Scaffolds
  • Go to ScaffoldHub
Powered by GitBook
On this page
  • Permissions
  • Backend Authentication
  • Backend Permission
  • Frontend Permission
  • Menus
  • Buttons

Was this helpful?

  1. Architecture

Security

PreviousArchitectureNextFile Storage

Last updated 4 years ago

Was this helpful?

For an overview of the security, please check .

This section will explain in detail the implementations of security on ScaffoldHub.

All the security files must be replicated on both frontend and backend.

  • frontend/src/security

  • backend/src/security

Frontend security is just for the application not to show what users are not allowed to do and can be easily hacked because frontend files are just HTML, CSS, and Javascript. Real security happens on the backend.

Permissions

Every action a user can perform on the application has a related permission.

  • allowedRoles: The user roles that contain that permission.

Backend Authentication

When the user signs-in, he receives a secure JWT token.

The frontend then sends this token on each request via the Authorization header.

Using an authentication middleware, the backend validates this token, fetches the current user, and assigs him to the request.

Backend Permission

Each endpoint validates if the user has the permission to access that resource.

Some endpoints, like sign-in and sign-up, do not require the user to be authenticated, and for those cases, it just doesn't validate the presence of the user on the request.

Frontend Permission

Menus

Menus have their permission assigned to them and are only shown if the user contains a role that contains that permission.

Buttons

Action buttons also have validations to check if the user has permission.

allowedPlans: The that contain that permission.

allowedStorage: The folders that permission can access.

plans
file storage
Features > Security