Skip to content

Software Requirement Specification (SRS) - Authentication & Authorization System

FieldDetail
Company Nameruizdev7
Document TitleAuthentication & Authorization System - SRS
Document NumberSRS-001
Version1.0
Specification Date17-November-24
StatusImplemented
RoleNameDate
Project ManagerJoseph Ruiz17-November-24
Tech LeadJoseph Ruiz17-November-24
VersionDateChanges MadeAuthor
1.017-November-24Initial SRS DocumentationJoseph Ruiz

This document specifies the requirements for the implementation of a comprehensive Authentication and Authorization System in the ruizdev7 Portfolio application.
The objective is to provide a secure, scalable, and maintainable access control mechanism that supports JWT-based authentication, role-based access control (RBAC), and granular permission management for all application resources.

The Authentication & Authorization System includes the following components:

  • JWT Authentication: Secure token-based authentication with access and refresh tokens.
  • Role-Based Access Control (RBAC): Hierarchical role system with predefined roles (admin, moderator, user, guest).
  • Permission Management: Granular permissions for resources (posts, users, pumps, categories, comments, roles).
  • Authorization Decorators: Reusable decorators for endpoint protection.
  • Token Management: Token refresh, revocation, and blocklist functionality.

The implementation ensures compliance with security best practices, including:

  • OWASP Top 10 security standards
  • Secure password hashing (bcrypt)
  • Protection against common attacks (XSS, CSRF, SQL Injection)
  • JWT (JSON Web Token): A compact, URL-safe token format for transmitting claims between parties.
  • RBAC (Role-Based Access Control): An access control model where permissions are assigned to roles, and roles are assigned to users.
  • Access Token: Short-lived token used for authenticating API requests.
  • Refresh Token: Long-lived token used for obtaining new access tokens.
  • Permission: Granular authorization unit defined as {resource}_{action} (e.g., posts_create, users_read).
  • Decorator: Python function wrapper used to enforce authorization requirements on endpoints.

Priority: Critical
Description:

FieldDetail
Use Case NameUser Login with JWT Authentication
Subject AreaAuthentication & Security
Business EventThis use case applies when a user attempts to log into the system.
ActorsGeneral user, ruizdev7 Platform.
Use Case OverviewThis use case covers the login process, token generation, and user session initialization.
PreconditionsUser must have a registered account with valid credentials.
Termination OutcomeUser receives access token, refresh token, and associated roles/permissions.
Condition Affecting OutcomeInvalid credentials, account locked, or system downtime.
Use Case DescriptionThe system validates credentials, generates JWT tokens, retrieves user roles and permissions, and returns them in the response.
Use Case AssociationsUC-009: Token Refresh, UC-010: User Logout.
Traceability ToSRS-001, OWASP Top 10.
Input SummaryEmail and password.
Output SummaryAccess token, refresh token, user info, roles, and permissions.
Usability IndexCritical, as this is the entry point to the system.
Use Case NotesPasswords are hashed using bcrypt. Failed login attempts should be logged.
CriterionDescription / Acceptance Condition
JWT Token GenerationAccess and refresh tokens are generated upon successful login.
Token ValidationSystem validates tokens on each protected endpoint request.
Token RefreshUsers can obtain new access tokens using valid refresh tokens.
Token RevocationLogout adds tokens to blocklist, preventing further use.
Role AssignmentUsers can be assigned multiple roles.
Permission VerificationSystem correctly enforces permission requirements on endpoints.
Default RolesFour predefined roles (admin, moderator, user, guest) exist with appropriate permissions.
Decorator ProtectionProtected endpoints return 403 for unauthorized users.
SecurityPasswords are hashed using bcrypt. Tokens use secure secret keys.
CategoryRequirement
PerformanceToken validation completed in under 50ms per request.
SecurityOWASP Top 10 compliance; bcrypt password hashing; JWT secret key rotation.
Availability99.95% uptime for authentication services.
ScalabilitySupport for 10,000+ concurrent authenticated users.
MaintainabilityModular decorator-based authorization for easy extension.
AuditabilityAll authentication events (login, logout, failed attempts) are logged.

Tables:

  • tbl_users: User accounts with hashed passwords
  • tbl_roles: Role definitions (admin, moderator, user, guest)
  • tbl_permissions: Permission definitions (24 total)
  • tbl_role_permissions: Many-to-many relationship between roles and permissions
  • tbl_user_roles: Many-to-many relationship between users and roles
  • tbl_token_block_list: Revoked tokens

Resources:

  • posts
  • users
  • pumps
  • categories
  • comments
  • roles

Actions:

  • create
  • read
  • update
  • delete

Format: {resource}_{action} (e.g., posts_create, users_delete)

RolePermissions CountDescription
admin24Full access to all resources
moderator11Create/read/update access to most resources
user7Basic CRUD on owned resources
guest3Read-only access
  1. @require_permission(resource, action): Requires specific permission
  2. @require_role(role_name): Requires specific role
  3. @require_ownership_or_permission(resource, action): Allows resource owner or users with permission
  4. @require_any_permission(permissions): Requires at least one of the listed permissions
  5. @require_all_permissions(permissions): Requires all listed permissions

Authentication:

  • POST /api/v1/token - Login
  • GET /api/v1/refresh-token - Refresh access token
  • DELETE /api/v1/logout - Logout
  • GET /api/v1/whoami - Get current user info
  • GET /api/v1/my-permissions - Get user permissions

Role Management:

  • GET /api/v1/roles - List roles
  • POST /api/v1/roles - Create role
  • PUT /api/v1/roles/{id} - Update role
  • DELETE /api/v1/roles/{id} - Delete role
  • GET /api/v1/permissions - List permissions
  • POST /api/v1/initialize-roles - Initialize default roles

User Role Assignment:

  • POST /api/v1/users/{id}/roles - Assign role to user
  • DELETE /api/v1/users/{id}/roles/{role_name} - Remove role from user
FieldDetail
Stakeholdersruizdev7 Team, Security Auditors
Attachments[ROLES_AND_PERMISSIONS.md], [API_DOCUMENTATION.md]
Tech StackFlask, Flask-JWT-Extended, SQLAlchemy, bcrypt
Name/TitleSignatureDate
Client Representativeruizdev717-November-24
Company Representativeruizdev717-November-24