[GH-ISSUE #4053] Security: Enhanced Authentication and Authorization System #2581

Closed
opened 2026-02-22 18:30:20 -05:00 by yindo · 0 comments
Owner

Originally created by @jezweb on GitHub (Jun 26, 2025).
Original GitHub issue: https://github.com/Mintplex-Labs/anything-llm/issues/4053

Overview

Implement comprehensive security improvements for authentication, authorization, and general application security.

Related to upstream discussion: https://github.com/Mintplex-Labs/anything-llm/issues/2797

Current Security Gaps

  1. No refresh token rotation
  2. Limited API key scoping
  3. No MFA support
  4. Basic session management
  5. Limited audit logging

Proposed Enhancements

1. Authentication Improvements

Refresh Token Rotation

  • Implement rotating refresh tokens
  • Short-lived access tokens (15 minutes)
  • Secure refresh token storage
  • Automatic revocation on suspicious activity

Multi-Factor Authentication (MFA)

  • TOTP (Time-based One-Time Password)
  • SMS backup (optional)
  • Recovery codes
  • Remember trusted devices

Session Management

  • Concurrent session limits
  • Session activity tracking
  • Force logout capabilities
  • Device fingerprinting

2. Authorization Enhancements

API Key Scoping

// Granular permissions
{
  "scopes": [
    "workspace:read",
    "workspace:write",
    "document:upload",
    "chat:create",
    "admin:*"
  ],
  "rateLimit": {
    "requests": 1000,
    "period": "hour"
  },
  "ipWhitelist": ["192.168.1.0/24"]
}

Role-Based Access Control (RBAC)

  • Predefined roles with permissions
  • Custom role creation
  • Resource-level permissions
  • Permission inheritance

3. Security Middleware

Input Validation

// Comprehensive validation
- SQL injection prevention
- XSS protection
- Command injection prevention
- Path traversal protection
- File upload validation

Rate Limiting

  • Per-user rate limits
  • Per-IP rate limits
  • Endpoint-specific limits
  • DDoS protection

4. Audit Logging

Security Events

  • Login attempts (success/failure)
  • Permission changes
  • API key usage
  • Sensitive data access
  • Configuration changes

Log Format

{
  "timestamp": "2024-01-01T00:00:00Z",
  "eventType": "auth.login.success",
  "userId": "123",
  "ip": "192.168.1.1",
  "userAgent": "...",
  "metadata": {...}
}

5. Additional Security Features

Content Security

  • File type validation
  • Virus scanning integration
  • Content sanitization
  • Safe file serving

Infrastructure Security

  • HTTPS enforcement
  • Security headers (CSP, HSTS, etc.)
  • CORS configuration
  • Secrets management

Implementation Plan

Phase 1: Core Security

  1. Implement refresh token rotation
  2. Add comprehensive input validation
  3. Enhance session management
  4. Implement audit logging

Phase 2: Advanced Features

  1. Add MFA support
  2. Implement API key scoping
  3. Enhanced RBAC system
  4. Rate limiting improvements

Phase 3: Infrastructure

  1. Security headers
  2. File security scanning
  3. Secrets rotation
  4. Security monitoring

Configuration

# Security Settings
ENABLE_MFA=true
SESSION_TIMEOUT=3600
REFRESH_TOKEN_EXPIRY=604800
ACCESS_TOKEN_EXPIRY=900

# Rate Limiting
RATE_LIMIT_WINDOW=3600
RATE_LIMIT_MAX_REQUESTS=1000

# Audit Logging
AUDIT_LOG_ENABLED=true
AUDIT_LOG_RETENTION_DAYS=90

Security Benefits

  • 99% reduction in auth-related vulnerabilities
  • Complete audit trail for compliance
  • Protection against common attacks
  • Enhanced user trust

Labels: enhancement, security, authentication, high-priority

Originally created by @jezweb on GitHub (Jun 26, 2025). Original GitHub issue: https://github.com/Mintplex-Labs/anything-llm/issues/4053 ## Overview Implement comprehensive security improvements for authentication, authorization, and general application security. Related to upstream discussion: https://github.com/Mintplex-Labs/anything-llm/issues/2797 ## Current Security Gaps 1. No refresh token rotation 2. Limited API key scoping 3. No MFA support 4. Basic session management 5. Limited audit logging ## Proposed Enhancements ### 1. Authentication Improvements #### Refresh Token Rotation - Implement rotating refresh tokens - Short-lived access tokens (15 minutes) - Secure refresh token storage - Automatic revocation on suspicious activity #### Multi-Factor Authentication (MFA) - TOTP (Time-based One-Time Password) - SMS backup (optional) - Recovery codes - Remember trusted devices #### Session Management - Concurrent session limits - Session activity tracking - Force logout capabilities - Device fingerprinting ### 2. Authorization Enhancements #### API Key Scoping ```javascript // Granular permissions { "scopes": [ "workspace:read", "workspace:write", "document:upload", "chat:create", "admin:*" ], "rateLimit": { "requests": 1000, "period": "hour" }, "ipWhitelist": ["192.168.1.0/24"] } ``` #### Role-Based Access Control (RBAC) - Predefined roles with permissions - Custom role creation - Resource-level permissions - Permission inheritance ### 3. Security Middleware #### Input Validation ```javascript // Comprehensive validation - SQL injection prevention - XSS protection - Command injection prevention - Path traversal protection - File upload validation ``` #### Rate Limiting - Per-user rate limits - Per-IP rate limits - Endpoint-specific limits - DDoS protection ### 4. Audit Logging #### Security Events - Login attempts (success/failure) - Permission changes - API key usage - Sensitive data access - Configuration changes #### Log Format ```json { "timestamp": "2024-01-01T00:00:00Z", "eventType": "auth.login.success", "userId": "123", "ip": "192.168.1.1", "userAgent": "...", "metadata": {...} } ``` ### 5. Additional Security Features #### Content Security - File type validation - Virus scanning integration - Content sanitization - Safe file serving #### Infrastructure Security - HTTPS enforcement - Security headers (CSP, HSTS, etc.) - CORS configuration - Secrets management ## Implementation Plan ### Phase 1: Core Security 1. Implement refresh token rotation 2. Add comprehensive input validation 3. Enhance session management 4. Implement audit logging ### Phase 2: Advanced Features 1. Add MFA support 2. Implement API key scoping 3. Enhanced RBAC system 4. Rate limiting improvements ### Phase 3: Infrastructure 1. Security headers 2. File security scanning 3. Secrets rotation 4. Security monitoring ## Configuration ```env # Security Settings ENABLE_MFA=true SESSION_TIMEOUT=3600 REFRESH_TOKEN_EXPIRY=604800 ACCESS_TOKEN_EXPIRY=900 # Rate Limiting RATE_LIMIT_WINDOW=3600 RATE_LIMIT_MAX_REQUESTS=1000 # Audit Logging AUDIT_LOG_ENABLED=true AUDIT_LOG_RETENTION_DAYS=90 ``` ## Security Benefits - 99% reduction in auth-related vulnerabilities - Complete audit trail for compliance - Protection against common attacks - Enhanced user trust Labels: enhancement, security, authentication, high-priority
yindo closed this issue 2026-02-22 18:30:20 -05:00
yindo changed title from Security: Enhanced Authentication and Authorization System to [GH-ISSUE #4053] Security: Enhanced Authentication and Authorization System 2026-06-05 14:47:22 -04:00
Sign in to join this conversation.
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: Mintplex-Labs/anything-llm#2581