Security and Performance

Access Control Rules

Critical Authorization Constraints:

1. Client User Permissions:

   • Clients have READ-ONLY access to all entities
   • Clients CANNOT create, update, or delete any records
   • All entity data is view-only for CLIENT role
   • Write operations (POST, PUT, PATCH, DELETE) must return 403 Forbidden for CLIENT users

2. Form Access Restrictions:

   • Only ADMIN users can access form interfaces for creating/editing entities
   • MANAGER and CLIENT roles have no form creation/editing capabilities
   • Form routes and components must enforce ADMIN-only access
   • All form submissions must validate ADMIN role at both frontend and backend

Security Requirements

Frontend Security:

• CSP Headers: Strict content security policy with Auth0 domains whitelisted
• XSS Prevention: Next.js built-in XSS protection + Content Security Policy enforcement
• Secure Storage: Auth0 tokens in HTTP-only cookies, no localStorage for sensitive data

Backend Security:

• Input Validation: Class-validator decorators on all DTOs
• Rate Limiting: 100 requests/minute per user, 1000/minute per IP
• CORS Policy: Restricted to frontend domains only (configured via CORS_ORIGIN env var in production)
• Swagger API Documentation: Disabled in production, only available in development environment

Authentication Security:

• Token Storage: JWT in HTTP-only, secure, SameSite cookies
• Session Management: Auth0 session management with automatic token refresh

Performance Optimization

Frontend Performance:

• Bundle Size Target: < 500KB initial load
• Loading Strategy: Lazy loading for admin components
• Caching Strategy: Next.js ISR + SWR for API data

Backend Performance:

• Response Time Target: < 200ms for filtered queries, < 50ms RBAC overhead
• Database Optimization: Composite indexes on (client_id, created_at)