ContabilidadISV uses a multi-layer security model that combines JWT-based authentication, HTTP header validation, IP behavior analysis, and automatic temporary blocking to protect the accounting data from unauthorized access and automated attacks — without requiring a fixed IP or dedicated hardware firewall. The full architecture is described inDocumentation Index
Fetch the complete documentation index at: https://mintlify.com/Medinaallan/ContabilidadISV/llms.txt
Use this file to discover all available pages before exploring further.
INICIO_RAPIDO_SEGURIDAD.md at the project root.
JWT Authentication
Every protected API route requires a valid JSON Web Token signed withJWT_SECRET.
- Tokens are issued on login by
POST /api/auth/loginand returned in the response body. - The frontend stores the token in
localStorageunder the keytoken(managed bytokenUtilsinfrontend/src/services/api.ts). - All subsequent API calls attach the token via the
Authorization: Bearer <token>header, added automatically by an Axios request interceptor. - The
authenticateTokenmiddleware inbackend/src/middleware/auth.jsverifies the token signature, decodes the payload, and confirms the user still exists in the database before attachingreq.userfor downstream handlers. - If the token is expired or invalid the API responds with HTTP 403. If it is missing entirely the API responds with HTTP 401.
- When the frontend receives a 401 response the Axios response interceptor clears
localStorageand redirects to/loginautomatically.
The
JWT_SECRET environment variable must be set before starting the backend. Use a cryptographically random string of at least 64 characters. See Environment Variables for generation instructions.Rate Limiting
ThebehaviorAnalysis middleware in backend/src/middleware/security.js tracks the request rate for every source IP. When a single IP exceeds 10 requests per second the middleware increments that IP’s suspicion score by 3 points:
IP Behavior Analysis
The security middleware builds a behavioral profile for each source IP and accumulates a suspicion score from several independent signals:| Signal | Threshold | Score Added |
|---|---|---|
| Multiple User-Agents from the same IP (bots / malware) | > 5 distinct User-Agents | +2 per check |
| High request rate | > 10 req/s | +3 per check |
| Failed login attempts | ≥ 5 failures | +5 per check |
blockedIPs set and receives a HTTP 403 response on every subsequent request:
validateSecurityHeaders middleware rejects any request that arrives without a User-Agent header, and blocks a hardcoded list of scanner signatures including masscan, nmap, sqlmap, nikto, dirbuster, metasploit, curl, wget, and python-requests.
Tuning Sensitivity
If the defaults are too aggressive (blocking legitimate users) or too permissive (not catching real attackers), adjust the four thresholds inbackend/src/middleware/security.js:
Security Stats Endpoint
Administrators can query the real-time security state via the admin API:totalTrackedIPs— number of IPs currently being monitoredblockedIPs— array of currently blocked IP addressessuspiciousActivity— array of IPs with a suspicion score above zero, sorted by score descending, each entry includingip,score,requests,failedLogins, anduserAgents
backend directory:
Roles and Permissions
ContabilidadISV has two built-in roles enforced by therequireRole middleware (backend/src/middleware/auth.js):
| Role | Allowed Operations |
|---|---|
admin | All user permissions, plus: manage users (/api/users), view audit logs (/api/logs), access admin stats (/api/admin), delete consolidations, permanently delete clients |
user | Create and view consolidations (/api/consolidaciones), manage clients (/api/clientes), upload files (/api/files), view reports (/api/reports), view own profile (/api/auth/profile) |
authenticateToken followed by requireRole:
Permisos insuficientes). Attempting to access any protected route without a valid token returns HTTP 401 (Token de acceso requerido).
The initial admin account is created by the database initialization script (
npm run init-db). Refer to Audit Logs to see how every role-based action is automatically recorded in the system_logs table.