Security
Status: Accepted Owner: @bilal @deen Last Updated: 2026-02-15
Trust Boundaries
| Boundary | Actor | Auth Method |
|---|---|---|
| Public | Tenant | No auth (identified by phone/email) |
| Public | Vendor | One-time token link |
| Authenticated | Dashboard user | JWT (Supabase Auth) |
| Service | n8n, Next.js API | Service role key |
Authentication
Users (Supabase Auth)
- Email + password (primary)
- Magic link (password-free)
- JWT in httpOnly cookies
- Organisation picker on login
Tenants
- No authentication — identified by phone/email
- Matched to
tenantstable via intake processing - Chat app uses OTP login
Vendors
- One-time secure token links
- No accounts, no apps
Authorisation (RLS)
All data access controlled by Row Level Security.
| Resource | Owner | Admin | Staff | Envo Support |
|---|---|---|---|---|
| View org | Y | Y | Y | Y |
| Update org | Y | - | - | - |
| Manage properties | Y | Y | - | - |
| Manage issues | Y | Y | Y | Y |
| Manage vendors | Y | Y | - | - |
| Manage team | Y | - | - | - |
| View audit | Y | Y | - | - |
Envo Support Access
- Temporary grants with auto-expiry (default 4 hours)
- All actions audited
- Read access logged for envo_support role
- Can be revoked immediately
Prompt Injection Protection
Patterns detected and filtered:
- “ignore all previous instructions”
- “reveal your system prompt”
- Delimiter injection
- Control flow manipulation
- Risk levels: low, medium, high (high triggers monitoring)
Personal Data (GDPR)
| Table | Sensitive Fields |
|---|---|
users | email, full_name, phone |
tenants | name, phone, email |
vendors | name, phone, email |
Protected by: RLS, audit logging, GDPR deletion process.
See GDPR & Compliance for deletion flows.
Security Checklist
Implemented
- RLS on all tables
- JWT authentication
- RBAC (owner/admin/staff/envo_support)
- Audit logging with user attribution
- Phone validation (E.164)
- Soft deletes
- Temporary access with expiry
- Rate limiting (30 req/min per phone, 100/min per IP)
- Webhook signature verification (HMAC-SHA256)
- Prompt injection protection
Planned
- Full security audit needs-decision
- OWASP ZAP scanning
- Secret scanning (Trufflehog)
- Vendor token hashing
See also: Data Model, System Design, GDPR & Compliance