- JWT-based Authentication: Secure token-based authentication using JWT (JSON Web Tokens)
- Token Management:
- Access tokens for API access
- Refresh tokens for maintaining sessions
- Token blacklisting for logout/revocation
- Password Security:
- Secure password hashing
- Password reset functionality
- Password update mechanism
- Account Lockout Mechanism:
- 5 failed login attempts within 15 minutes triggers a 15-minute lockout
- Lockout duration calculated from the most recent failed attempt
- Failed attempts tracked for both invalid passwords and non-existent users
- Security by obscurity - system doesn't reveal if a user exists through lockout messages
- Login Attempt Tracking:
- All login attempts (successful and failed) are recorded with:
- User ID
- IP address
- Timestamp (timezone-aware)
- Success status
- All login attempts (successful and failed) are recorded with:
- Fine-grained Permission System:
- Granular permissions for different actions (view, create, edit, delete)
- Resource-specific permissions (users, roles, orders, etc.)
- Special "ALL_PERMISSIONS" permission for super-admin access
- Role Management:
- Roles can be assigned multiple permissions
- Users can be assigned multiple roles
- System-wide roles vs tenant-specific roles
- Role CRUD operations with permission management
- Tenant Isolation:
- Each user belongs to a specific tenant
- Roles and permissions scoped to tenants
- Tenant-specific configurations and settings
- Tenant Administration:
- Tenant admin flag for users
- Tenant validation on operations
- Tenant subscription management (plan, end date, max users)
- One Device, One Session:
- When a user logs in from a new device, previous sessions are deactivated
- Device-specific session tracking (device ID, name, type)
- Session activity tracking (last active timestamp)
- Session Invalidation:
- Token blacklisting for logout
- Cache invalidation for revoked sessions
- User Registration and Activation:
- Email verification for account activation
- Auto-generated passwords for employee accounts
- User Profile Management:
- Profile picture upload
- Personal information storage (name, email, phone, address)
- Employee-specific fields (KRA PIN, employee ID)
- External Service Integration:
- References to other services (branch_id, restaurant_id)
- Caching:
- Token payload caching
- Redis integration for distributed caching
- Timeout Handling:
- Global request timeout (30 seconds default)
- Path-specific timeout exclusions
- Custom timeout handling for specific operations
- CORS Protection:
- Configurable origin allowlist
- Credential and method restrictions
- Error Handling:
- Custom exception handlers
- Detailed error responses with separate messages for developers and end-users
- Request Validation:
- Pydantic schema validation
- Input sanitization
- Email Notifications:
- Account verification emails
- Password reset emails
- Welcome emails for new employees
- Background task processing for non-blocking email sending
- User Activity Tracking:
- Login attempts logging
- Session activity tracking
- Creation and modification timestamps on entities