Admin Dashboard — Security Model

Status: populated Owner: Platform Engineering + Security Last updated: 2026-04-18

1. Threat Model Summary

The admin-dashboard has elevated access to all platform data. Primary threat vectors:

Compromised admin credentials (Firebase account takeover)
Session hijacking via XSS or cookie theft
Insider threat accessing unauthorized tenant data
Privilege escalation from customer to admin role

2. Authentication Layers

Layer	Mechanism
L1: Network	Cloudflare Access — `@ghasi.io` email domain required
L2: Application	Firebase Auth email + password
L3: Claim	`admin` custom claim verified via `GET /v1/internal/auth/me`
L4: JWT	Platform JWT on all API calls; validated by Kong
L5: Cookie	`httpOnly; Secure; SameSite=Strict` — no JS access

An attacker needs to breach all five layers to access admin functionality.

3. JWT Handling

JWT stored exclusively in an encrypted httpOnly cookie (__admin_session).
Auto-refresh via __admin_refresh cookie (Path-restricted to /api/auth/refresh).
No tokens in localStorage, sessionStorage, or accessible to page JavaScript.

4. SMPP Operator Password Handling

SMPP operator passwords are accepted in the create/edit modal but never pre-populated (the existing password is never sent back to the browser).
Blank password field in the edit form = no password change (backend contract).
Passwords are never logged by the dashboard.

5. CSRF Protection

SameSite=Strict cookies prevent cross-origin cookie submission.
BFF route handlers verify Origin header.
Double-submit CSRF token on all state-changing admin forms.

6. Content Security Policy

Content-Security-Policy:
  default-src 'self';
  script-src 'self' 'nonce-{RANDOM}' https://www.gstatic.com https://apis.google.com;
  style-src 'self' 'unsafe-inline';
  img-src 'self' data:;
  font-src 'self';
  connect-src 'self' https://api.ghasi.io https://*.firebaseio.com wss://*.firebaseio.com;
  frame-src 'none';
  object-src 'none';
  base-uri 'self';

Note: No external CDN references beyond Firebase Auth SDK. All assets self-hosted.

7. Security Headers

Header	Value
`Strict-Transport-Security`	`max-age=31536000; includeSubDomains; preload`
`X-Content-Type-Options`	`nosniff`
`X-Frame-Options`	`DENY`
`Referrer-Policy`	`strict-origin-when-cross-origin`
`Permissions-Policy`	`camera=(), microphone=(), geolocation=()`

8. Audit Logging

Every admin action that mutates data (create/update/delete operator, update routing rule, suspend user, change billing pricing) sends X-Admin-User-Id and X-Admin-Email headers. Downstream services record these in their audit logs. The dashboard itself does not maintain an audit log.

9. Data Access Scoping

All /v1/internal/* Kong routes require the admin role claim in the JWT.
Kong rejects requests with only a customer claim.
The dashboard does not accept tenant/account IDs from URL parameters for security-sensitive operations — they are resolved server-side from the JWT.

10. Dependency Security

pnpm audit in CI; HIGH/CRITICAL vulnerabilities block merge.
No third-party charting libraries loaded from public CDNs; all bundled locally.

1. Threat Model Summary​

2. Authentication Layers​

3. JWT Handling​

4. SMPP Operator Password Handling​

5. CSRF Protection​

6. Content Security Policy​

7. Security Headers​

8. Audit Logging​

9. Data Access Scoping​

10. Dependency Security​