Skip to content

Security: Dhruv-Cmds/Delivery-System

Security

docs/security.md

Security

This document describes the authentication, authorization, validation, and security measures implemented in the FastAPI Delivery System.


Overview

Security is a core part of the application's design. The project uses JWT-based authentication, Role-Based Access Control (RBAC), password hashing, HTTPS, and application-level validation to protect user data and financial operations.

The current implementation is intended for educational and portfolio purposes while following common production security practices.


Security Architecture

                Client
                   │
                   ▼
        JWT Authentication
                   │
                   ▼
        Authorization (RBAC)
                   │
                   ▼
          FastAPI Endpoints
                   │
                   ▼
         Service Layer Validation
                   │
                   ▼
       Database Transactions

Every protected request passes through authentication, authorization, and business validation before accessing the database.


Authentication Flow

Client
   │
   ▼
Login Request
   │
   ▼
Verify Credentials
   │
   ▼
Generate JWT
   │
   ▼
Return Access Token
   │
   ▼
Authenticated Requests

Clients must include the access token in the Authorization header.

Authorization: Bearer <ACCESS_TOKEN>

Only authenticated users can access protected endpoints.


Password Security

Passwords are never stored in plain text.

The application uses:

  • bcrypt
  • passlib

This provides secure password hashing before credentials are stored in the database.


Authorization

Role-Based Access Control (RBAC) is used to restrict privileged operations.

Current roles include:

  • User
  • Admin

Administrative endpoints are accessible only to authenticated users with the appropriate role.

Examples include:

  • View all users
  • View all accounts
  • Close accounts
  • Administrative management endpoints

Supported Roles

Role Description
Admin Full system access
Customer Order management and personal resources
Restaurant Owner Restaurant and menu management
Delivery Partner Delivery-related operations

Examples of authorization checks include:

  • Administrative endpoints require administrator privileges.
  • Customers can access only their own orders.
  • Restaurant owners can manage only their own restaurants.
  • Delivery partners can access only assigned deliveries.

Account Security

Several validation rules protect account operations.

Implemented safeguards include:

  • Account ownership validation
  • JWT-protected account access
  • Soft account closure
  • Active account verification

Only ACTIVE Customers may perform operations.


Payment Safety

Financial operations are protected through application-level validation.

Current safeguards include:

  • Prevent negative balances
  • Validate account ownership
  • Atomic database transactions

Transfers are executed using commit/rollback mechanisms to maintain data consistency.


Request Validation

All incoming requests are validated using Pydantic schemas before reaching the service layer.

Validation includes:

  • Required fields
  • Data types
  • Length constraints
  • Numeric validation
  • Enum validation
  • Optional field handling

Invalid requests are rejected before any database operation is performed.


API Protection

The API includes multiple layers of protection.

Protection Purpose
JWT Authentication Verify user identity
RBAC Restrict access by role
Rate Limiting Reduce abuse and excessive requests
Pydantic Validation Reject malformed input
SQLAlchemy ORM Prevent SQL injection through parameterized queries
Exception Handling Return consistent error responses

Rate Limiting

The application integrates SlowAPI to reduce abuse and protect authentication endpoints.

Benefits include:

  • Brute-force protection
  • Reduced abuse
  • Fair resource usage
  • Improved application stability

Rate limiting becomes increasingly important during periods of high traffic.


Data Protection

SQL Injection Prevention

Database queries are executed through SQLAlchemy ORM using parameterized statements instead of string concatenation.

Benefits include:

  • Reduced SQL injection risk
  • Safer query generation
  • Improved maintainability

Input Sanitization

User input is validated before processing.

Examples include:

  • String length validation
  • Numeric constraints
  • Required fields
  • Enum validation
  • Type checking

Sensitive Information

The following values should never be committed to source control:

  • JWT secret keys
  • Database passwords
  • Redis passwords
  • Production API keys
  • Environment configuration files containing secrets

Secrets should be stored using environment variables or a dedicated secrets management solution.


Business Rule Validation

Beyond request validation, the service layer enforces business rules to protect application integrity.

Examples include:

Rule Description
Payment Validation Prevent negative payment amounts.
Payment Limit Reject payments exceeding the configured maximum amount.
Customer Status Only ACTIVE customers may place orders.
Order Limits Enforce the maximum number of items allowed per order.
Ownership Validation Users may access only resources they own unless authorized otherwise.
Restaurant Ownership Restaurant owners may manage only their own restaurants.
Menu Ownership Menu items can be modified only by the owning restaurant.
Delivery Assignment Delivery partners may update only deliveries assigned to them.

These rules are enforced within the service layer and remain independent of the API layer.


Security Checklist

The following protections are currently implemented.

Feature Status
JWT Authentication
Password Hashing
RBAC
Protected Endpoints
Request Validation
SQL Injection Protection
Rate Limiting
Ownership Validation
Centralized Exception Handling

Production Recommendations

For production deployments, consider the following best practices:

  • Use strong, randomly generated JWT secret keys.
  • Serve the application exclusively over HTTPS.
  • Rotate secrets periodically.
  • Restrict database access to trusted networks.
  • Enable firewall rules for exposed services.
  • Keep Docker images and dependencies up to date.
  • Store secrets in a secure secret management system.
  • Enable structured logging and monitoring.
  • Perform regular database backups.
  • Review user permissions periodically.
  • Monitor authentication failures and suspicious activity.

Environment Variables

Sensitive configuration values are managed using environment variables.

Examples include:

  • Database credentials
  • Redis configuration
  • JWT secret key
  • Token expiration
  • Administrator credentials

Secrets should never be committed to version control.


Logging & Error Handling

The application avoids exposing sensitive internal details through API responses.

Security-focused practices include:

  • Generic authentication errors
  • Centralized exception handling
  • Structured logging
  • Controlled error responses

These practices help reduce unnecessary information disclosure.


Security Best Practices

The project follows several recommended practices:

  • Hash all passwords
  • Store secrets in environment variables
  • Restrict privileged endpoints with RBAC
  • Validate all user input
  • Keep business logic inside the service layer
  • Protect database transactions with rollback support
  • Apply rate limiting where appropriate
  • Keep dependencies updated

Future Improvements

The following security enhancements are planned for future releases:

  • Refresh tokens
  • Multi-factor authentication (MFA)
  • Email verification
  • Password reset workflow
  • Session revocation
  • Security audit logging
  • OAuth2/OpenID Connect support

Related Documentation

  • README.md
  • architecture.md
  • deployment.md
  • docker.md
  • testing.md

There aren't any published security advisories