@startuml
title Notification System - Threat Model

actor "Attacker" as attacker
actor "Legitimate User" as user
component "React Frontend" as frontend
component "Python Backend" as backend
component "Notification Service" as notif
database "User Preferences" as prefs

package "Attack Vectors" {
  note right of attacker
    1. XSS via notification content
    2. Spam/DoS flooding
    3. Token theft/replay
    4. Authorization bypass
    5. MitM on WebSocket
  end note
}

package "Security Controls" {
  rectangle "Input Sanitization" as sanitize
  rectangle "Rate Limiting" as ratelimit
  rectangle "WSS + JWT Auth" as auth
  rectangle "ACL Checks" as acl
}

' Normal flow
user -> frontend : Authenticate
frontend -> backend : Get notification token
backend -> auth : Validate & issue JWT
frontend -> notif : Connect via WSS + token
backend -> sanitize : Sanitize content
sanitize -> ratelimit : Check limits
ratelimit -> acl : Verify user permissions
acl -> notif : Send notification
notif -> frontend : Deliver notification

' Attack attempts
attacker -[#red]-> notif : <script>alert('xss')</script>
sanitize -[#green]-> attacker : ✗ Blocked

attacker -[#red]-> notif : 10000 notifications/sec
ratelimit -[#green]-> attacker : ✗ Rate limited

attacker -[#red]-> notif : Stolen token
auth -[#orange]-> attacker : ✗ Token expired (5min TTL)

attacker -[#red]-> frontend : Read other user's notifications
acl -[#green]-> attacker : ✗ Authorization failed

@enduml