Skip to main content

Security

:::info Source Sourced from services/sync-service/SECURITY_MODEL.md in the documentation repo. :::

1. Authentication

JWT from identity-service.
Device binding verified on every sync operation via DeviceId in JWT + identity.device.bound_for_offline.v1.

2. Authorization

Mutations scoped to caller's (tenantId, userId, deviceId).
Cannot push mutations for another user.
Cannot pull deltas for another user's scope.
Admin: can force-resync any device in their tenant.

3. Multi-Tenant Isolation

RLS on all tables.
Scope always includes tenantId prefix.
Cursor tamper: server validates cursor format; mismatch → full resync.

4. Device Binding

Device must have identity.device.bound_for_offline.v1 event before sync.
Device public key used for:
- Mutation HMAC integrity.
- Bundle encryption key derivation (content-service).
Revoked device: all sync operations refused; existing cursors invalidated.

5. Mutation Integrity

Each mutation includes HMAC(payload, deviceKey).
Server verifies HMAC; tamper → reject with sync.mutation.rejected + alert.
Replay protection: clientMutationId unique PK.

6. Payload Validation

Payload validated against registered JSON Schema.
Schema mismatch → rejected.
Oversized payload (> 10 MB) → 413.

7. Encryption

TLS 1.3 in transit.
Postgres at rest.
Client-side: IndexedDB/SQLite encrypted with per-tenant key.
Sensitive mutation payloads (e.g., quiz responses) encrypted with per-tenant key on client.

8. Threat Model

Threat	Mitigation
Cross-tenant mutation injection	JWT tid + RLS + scope validation
Cross-user delta pull	JWT sub + scope includes userId
Device impersonation	Device binding + HMAC + fingerprint
Mutation replay	clientMutationId PK dedup
Mutation tamper	HMAC integrity check
Cursor manipulation	Server-generated; format verified; lamport monotonic
Full-resync flood (DoS)	Rate limit; force-resync admin-only
Offline mutation forgery	HMAC + server-side revalidation by owning service
Stale device accessing revoked content	Device trust revocation propagated via sync; license envelope expires
Clock manipulation (earlier occurredAt)	Server uses `receivedAt` for ordering; `occurredAt` informational

9. Audit

Every push + pull + conflict resolution logged.
Device health changes logged.
Mutation rejection reasons logged (security investigations).

Erase all cursors, mutations, conflicts, device health for user.
Owning services handle their entity erasure.

11. Compliance

SOC 2: access logs, device binding audit.
HIPAA: sync payloads encrypted; restricted providers for AI merge suggestions.

1. Authentication
2. Authorization
3. Multi-Tenant Isolation
4. Device Binding
5. Mutation Integrity
6. Payload Validation
7. Encryption
8. Threat Model
9. Audit
10. GDPR
11. Compliance