Security Features

Comprehensive security implementation and protected routes documentation

Security-First Design

This application implements industry-standard security practices including OAuth 2.0, route protection, session management, and secure credential storage.

Protected Routes

Authentication-required pages and access control

Protected Pages

Protected/Home (Person Search & CRUD)

Public Pages

Public/auth/signin

Public/about

Public/auth-setup

Public/security

Public/database

Public/github

Access Control Logic

Unauthenticated users:

Redirected to /auth/signin when accessing protected routes
Can view documentation pages (about, auth-setup, security, database, github)
Cannot access Person CRUD functionality or MCP pages

Authenticated users:

Full access to Person Search and CRUD operations
Session persists across page refreshes
Can sign out from any page via user menu

OAuth 2.0 Security

Google OAuth implementation security measures

✓ State Parameter Protection

Prevents CSRF attacks during OAuth flow

✓ Secure Token Storage

Access tokens encrypted in database, never exposed to client

✓ HTTPS Enforcement

Production deployment requires secure connections

✓ Session Expiration

Automatic logout after inactivity period

✓ Scope Limitation

Only requests necessary user permissions (profile, email)

Middleware Protection

Server-side route authentication

middleware.ts intercepts all requests before they reach page components.

Protection Logic:

Check if user has valid session token
If accessing protected route without auth → redirect to sign-in
If authenticated → allow request to proceed
Public routes bypass authentication check

Data Security

Database and credential protection

✓ Environment Variables

All secrets stored in .env file, excluded from version control via .gitignore

✓ Credential Rotation

Database passwords rotated after any potential exposure

✓ Encrypted Connections

PostgreSQL connections use SSL/TLS (sslmode=require)

✓ Prisma ORM

Parameterized queries prevent SQL injection attacks

✓ Session Management

Database-backed sessions with automatic cleanup of expired sessions

Best Practices Implemented

No sensitive data in client-side JavaScript
Server-side session validation on every request
Secure HTTP-only cookies for session tokens
CSRF protection built into Auth.js
Automatic security headers via Next.js
Environment-specific configuration (dev/prod separation)