Security is the highest-priority quality attribute in the SSA Health Platform. Before any business logic executes, every endpoint validates three things in strict order: that the requester is who they claim to be (authentication), that they are allowed to perform the requested action (authorization), and that the data they have submitted is well-formed and safe (DTO validation and sanitization). This layered defense ensures that no unsafe input ever reaches service or domain code, and that no unauthorized actor can invoke a protected operation.Documentation Index
Fetch the complete documentation index at: https://mintlify.com/LMendoza70/SSA/llms.txt
Use this file to discover all available pages before exploring further.
Token Strategy
The platform uses a dual-token strategy to balance security with usability. Short-lived access tokens limit the blast radius of a compromised credential, while longer-lived refresh tokens allow sessions to persist without forcing users to re-enter their passwords repeatedly.Access Token
A signed JWT with a 15-minute expiry. Contains the user’s ID and assigned roles. Signed with
JWT_SECRET. Sent in the Authorization: Bearer header on every request.Refresh Token
A longer-lived JWT with a 7-day expiry. Used exclusively to obtain a new access token when the current one expires. Never exposed to JavaScript — stored only in an HttpOnly cookie.
HttpOnly Cookie
The refresh token is delivered and stored as an HttpOnly cookie, making it invisible to browser JavaScript. This is the primary defense against XSS-based token theft.
Access tokens travel in request headers; refresh tokens travel only in HttpOnly cookies. These two channels should never be mixed.
Password Security
User passwords are hashed using Argon2, a memory-hard algorithm and winner of the Password Hashing Competition. Argon2 is designed to be computationally expensive for attackers even with specialized hardware, making brute-force and rainbow-table attacks impractical.Receive password
The raw password arrives over HTTPS in the request body. It is never written to any log or persisted in plaintext.
Hash with Argon2
NestJS calls Argon2 to produce a salted, memory-hard hash. The salt is embedded in the hash output automatically.
Store hash only
Only the Argon2 hash is persisted in the
users table. The original password is discarded immediately after hashing.Auth Endpoints
The Authentication Module exposes three public endpoints. All other endpoints in the platform require a valid access token.Login
Authenticates a user with their email and password. On success, returns a signed access token in the response body and sets the refresh token as an HttpOnly cookie.200 OK:
HttpOnly cookie named refresh_token. The client does not need to handle it explicitly.
Refresh
Accepts the refresh token cookie and issues a new access token. No request body is required — the browser sends the cookie automatically.200 OK:
Logout
Clears the refresh token cookie server-side, invalidating the session. The client should also discard the access token from memory.200 OK:
Authorization
Authentication confirms identity; authorization confirms permission. Every request passes through this pipeline before reaching business logic:Authentication Guard
Validates the JWT signature and expiry. Attaches the decoded user payload to the request context. Rejects with
401 if the token is missing, expired, or tampered.Authorization Guard
Checks the user’s roles against the roles required by the route decorator. Rejects with
403 if the user lacks the required role.DTO Validation Pipe
class-validator decorators on the DTO class validate shape, type, length, and format constraints. Rejects with 400 if validation fails.| Role | Permissions |
|---|---|
admin | Full access — create, read, update, delete, configure |
editor | Create and update content; cannot delete or configure the system |
viewer | Read-only access to published content |
Authorization logic lives exclusively in NestJS Guards and route decorators. Controllers must never contain
if (user.role === ...) checks. This keeps the authorization model consistent and auditable.Security Rules
The following rules are non-negotiable and apply to every module in the platform:- All endpoints require authentication unless explicitly decorated as public with
@Public() - DTOs are validated with
class-validatoron every mutating request - No secrets in source code — all sensitive values must come from environment variables
- Tokens are never logged — neither access tokens nor refresh tokens appear in any log output
- Soft delete for audit preservation — records are never physically removed;
deletedAtis set instead, maintaining a full audit trail for compliance purposes - No
anyin TypeScript — strict typing is enforced across the entire codebase (strict: true) - No business logic in controllers — controllers route requests; services own the logic
Environment Variables
The following environment variables must be configured before starting the backend. All values should be stored in.env (never committed to version control).
Architecture Overview
How authentication fits into the broader modular monolith and Clean Architecture layers.
API Conventions
Request and response formats, HTTP status codes, and error handling across the platform.
Deployment
How environment variables, secrets, and token configuration are managed in production.