ื“ืœื’ ืœืชื•ื›ืŸ ื”ืจืืฉื™

API Security Best Practices

Comprehensive API security patterns and practices used in Ever Gauzy.

Authenticationโ€‹

All API endpoints (except public endpoints) require JWT authentication:

Authorization: Bearer {jwt-token}

Token Lifecycleโ€‹

  1. User authenticates via /api/auth/login
  2. Server issues a JWT access token (short-lived) and refresh token (long-lived)
  3. Client includes access token in all requests
  4. When access token expires, client uses refresh token to get a new one
  5. When refresh token expires, user must re-authenticate

Token Configurationโ€‹

VariableDescriptionRecommended
JWT_SECRETSigning key256-bit random
JWT_TOKEN_EXPIRATION_TIMEAccess token TTL3600 (1 hour)
JWT_REFRESH_SECRETRefresh key256-bit random
JWT_REFRESH_EXPIRATION_TIMERefresh token TTL604800 (7 days)

Authorizationโ€‹

Guard Stackโ€‹

Every protected endpoint uses a layered guard stack:

GuardPurpose
TenantPermissionGuardValidates tenant context
PermissionGuardChecks user permissions
OrganizationPermissionGuardOrg-level permission check
RoleGuardRole-based access control

Permission Decoratorsโ€‹

@Permissions(PermissionsEnum.ORG_USERS_VIEW)
@Get('/users')
async findAll() { ... }

Relation Whitelistingโ€‹

All endpoints that accept relations query parameters must use enum-based whitelists to prevent data exposure:

// โœ… SAFE: Explicit whitelist
enum AllowedInvoiceRelations {
  FROM_ORGANIZATION = 'fromOrganization',
  TO_CONTACT = 'toContact',
  INVOICE_ITEMS = 'invoiceItems'
}

@Query('relations') relations: AllowedInvoiceRelations[]

// โŒ UNSAFE: Arbitrary string relations
@Query('relations') relations: string[]

Rate Limitingโ€‹

Configure rate limiting to prevent abuse:

VariableDescriptionDefault
THROTTLE_TTLWindow (seconds)60
THROTTLE_LIMITMax requests60

CORSโ€‹

Configure allowed origins:

CORS_ALLOW_ORIGIN=https://app.example.com,https://admin.example.com