66 lines
1.6 KiB
Plaintext
66 lines
1.6 KiB
Plaintext
@startuml
|
|
title Security Boundaries - MVP Notification System
|
|
|
|
package "Frontend (React)" {
|
|
[Notification UI]
|
|
[Preferences UI]
|
|
}
|
|
|
|
package "API Layer" {
|
|
[JWT Validator]
|
|
[Authorization Check]
|
|
[Rate Limiter]
|
|
}
|
|
|
|
package "Backend Services" {
|
|
[Notification Service]
|
|
[Preference Checker]
|
|
}
|
|
|
|
package "Data Layer" {
|
|
database "PostgreSQL" {
|
|
[notifications]
|
|
[user_preferences]
|
|
}
|
|
}
|
|
|
|
actor User
|
|
actor Attacker
|
|
|
|
User --> [Notification UI] : Authenticated
|
|
User --> [Preferences UI] : Manage settings
|
|
|
|
[Notification UI] --> [JWT Validator] : GET /api/notifications
|
|
[Preferences UI] --> [JWT Validator] : PUT /api/preferences
|
|
|
|
[JWT Validator] --> [Authorization Check] : Validate token
|
|
[Authorization Check] --> [Rate Limiter] : Check user ownership
|
|
[Rate Limiter] --> [Notification Service] : Enforce limits
|
|
[Rate Limiter] --> [Preference Checker] : Enforce limits
|
|
|
|
[Notification Service] --> [notifications] : Read/Write
|
|
[Preference Checker] --> [user_preferences] : Read/Write
|
|
|
|
Attacker -[#red]-> [JWT Validator] : ❌ Invalid token rejected
|
|
Attacker -[#red]-> [Authorization Check] : ❌ Cross-user access blocked
|
|
Attacker -[#red]-> [Rate Limiter] : ❌ Spam prevented
|
|
|
|
note right of [JWT Validator]
|
|
**Security Controls:**
|
|
• JWT validation (existing)
|
|
• User-specific authorization
|
|
• Rate limiting (100/hour)
|
|
• Input validation/sanitization
|
|
• CSRF protection
|
|
end note
|
|
|
|
note left of Attacker
|
|
**Mitigated Threats:**
|
|
• Unauthorized access
|
|
• Notification injection
|
|
• Subscription tampering
|
|
• DoS via spam
|
|
• Cross-user data leakage
|
|
end note
|
|
|
|
@enduml |