Security Architecture
Null Pass implements multiple layers of security to protect user data and system integrity.Authentication Security
Password Hashing
Password Hashing
Algorithm: bcrypt with 10 rounds
- Passwords are never stored in plain text
- Each password has unique salt
- Hash comparison prevents timing attacks
- Minimum 8 characters required
JWT Tokens
JWT Tokens
Token Structure:
- Contains userId and email
- Signed with JWT_SECRET
- Expires after 7 days (configurable)
- Stored in database with encrypted IP
- Tokens validated on every request
- Expired tokens rejected
- No token refresh mechanism (re-login required)
Two-Factor Authentication
Two-Factor Authentication
Implementation: TOTP (Time-based One-Time Password)
- 6-digit codes, 30-second period
- Window of 2 (allows clock drift)
- Secret stored in database
- QR code generation for easy setup
Data Protection
IP Address Encryption
IP Address Encryption
IP addresses are encrypted before storage:
- User-specific encryption key
- Decrypted only for display to same user
- Prevents IP tracking across users
- Encryption key derived from user ID
lib/ip-utils.tsPassword Storage
Password Storage
- Never logged or exposed
- Hashed with bcrypt before storage
- No password history kept
- Current password required for changes
Sensitive Data
Sensitive Data
Protected data:
- Passwords (hashed)
- 2FA secrets (stored, encrypted at rest if DB encryption enabled)
- IP addresses (encrypted)
- JWT tokens (not logged)
Request Protection
Arcjet Integration
Arcjet Integration
Multi-layer protection:
- Rate limiting (token bucket)
- Bot detection
- Shield protection
- Email validation
- Sensitive info detection
CORS
CORS
Cross-Origin Resource Sharing:
- Validates origin headers
- Returns appropriate CORS headers
- Prevents unauthorized cross-origin requests
Input Validation
Input Validation
All inputs validated with Zod:
- Type checking
- Format validation
- Length limits
- Required field checks
Session Security
Session Management
Session Management
- Sessions expire after 7 days
- IP address tracked (encrypted)
- Users can view and revoke sessions
- Session reuse for same IP
- Automatic expiration cleanup
Session Storage
Session Storage
- Stored in database (PostgreSQL)
- Token stored with session
- IP address encrypted
- Expiration tracked
- Cascade delete on user deletion
Audit Logging
All critical actions are logged:- User registration
- Login/logout
- Password changes
- 2FA enable/disable
- Profile updates
- Session creation/deletion
- Service access changes
- Action type (
AuditActionenum) - User ID
- Timestamp
- Additional data (JSON)
Account Security
Account Ban
Account Ban
Users can be banned:
bannedflag in database- Prevents all authentication
- Logged in audit trail
Account Disable
Account Disable
Users can be disabled:
disabledflag in database- Prevents authentication
- Separate from ban (different use case)
Environment Security
Must be strong, random secret. Never commit to version control.
Use connection string with SSL in production.
Keep Arcjet API key secure.
Best Practices
Security Checklist
Use this checklist to verify all security measures are properly configured before deploying to production:- Strong JWT_SECRET configured
- Database uses SSL connection
- HTTPS enforced in production
- CORS properly configured
- Rate limiting active
- Audit logging enabled
- Regular security updates
- Secrets not in version control
- Database backups encrypted
- Error messages don’t leak sensitive info