Skip to main content
Version: 3.0.1

Software Design Specification: Security Architecture

Document Type: System-Level (Tier 1) Status: Draft Last Updated: 2026-01-25

1. Purpose

This document describes the security architecture of the PCR Analysis System, covering authentication, authorization, session management, audit logging, and data protection mechanisms.

This is a Tier 1 document that provides cross-cutting security constraints and patterns. It does not satisfy individual requirements directly. Domain-specific security details (e.g., user account management, role assignment workflows) belong to the USERMGMT domain document.

2. Authentication Architecture

2.1 Overview

The system uses a hybrid authentication architecture combining:

  • AWS Cognito for identity management and credential verification
  • Laravel Sessions for web request authentication
  • Laravel Passport for API token authentication

2.2 Authentication Flow

2.3 Authentication Error Handling

The following error paths are handled during authentication:

Error ConditionCognito ExceptionHTTP ResponseUser Message
Invalid credentials (< 5 attempts)NotAuthorizedException401Invalid credentials
Account lockout (5 failed attempts)TooManyRequestsException429Account locked (~15 min timeout)
Account disabledUserNotFoundException401Account not found

2.4 Authentication Methods

MethodFlowProvider
NativeUsername/password via CognitoAWS Cognito
Federated (SAML)SAML 2.0 via Cognito identity brokerExternal IdP + Cognito

2.5 SAML/SSO Authentication Flow

For federated authentication via corporate identity providers:

SAML Flow Notes:

  • The Cognito Hosted UI handles the SAML protocol exchange
  • Authorization codes are exchanged server-side to prevent token exposure
  • GlobalSignOut ensures single-device enforcement applies to federated users
  • The DynamoDB session record is created identically to native login

2.6 Token Architecture

TokenSourceStorageLifetimePurpose
Cognito AccessTokenAWS CognitoEphemeral (not stored)Login onlyInitial authentication
Laravel SessionLaravelDynamoDB (prod)ConfigurableWeb request auth
Passport TokenLaravel Passportarctichare_token HTTP-only cookieConfigurableAPI request auth

Design Decision: Cognito tokens are not persisted. They are used only at login time to verify identity and fetch user attributes. This reduces token management complexity and attack surface.

3. Authorization Architecture

3.1 Authorization Model

The system implements role-based access control (RBAC) with:

  • User Types (roles) stored in local database
  • Middleware-based enforcement at route level
  • Gate-based enforcement for specific actions

3.2 Role Hierarchy

3.3 Role Matrix Overview

RoleRun FilesReportsAuditsUploadWestgardUser MgmtMulti-Site
JuniorYesYesYesYesNoNoNo
SeniorYesYesYesYesYesNoNo
Client-AdminNoNoYesNoNoYes*No
ManagerReadReadReadNoNoNoYes
Super AdminYesYesYesYesYesYesYes

*Client-Admin cannot modify Super Admin accounts.

3.4 Enforcement Mechanisms

MechanismImplementationPurpose
UserType Middlewareapp/Http/Middleware/UserType.phpRoute-level role restriction
Authenticate Middlewareapp/Http/Middleware/Authenticate.phpAuthentication enforcement
Gate: uploadFilesAuthServiceProviderPrevents Client-Admin upload
CheckIPMiddlewareapp/Http/Middleware/CheckIPMiddleware.phpIP whitelist enforcement

Reference: For detailed role definitions and assignment workflows, see SDS: USERMGMT Domain.

4. Session Management

4.1 Session Configuration

FeatureImplementationPurpose
Single-device enforcementlogoutOtherDevices('') on loginPrevents concurrent sessions
Session storageDynamoDB (production)Scalable, serverless
Session invalidation$request->session()->invalidate()Clean logout
Cognito logoutRedirect to /logout endpointFederated session termination

4.2 Inactivity Timeout

Sessions expire after a configurable inactivity period. See Configuration Reference for session timeout settings.

4.3 Account Disable Flow

When an account is disabled:

  1. UserAccountDisabled event is fired
  2. Cognito global sign-out is triggered
  3. Event is broadcast on private channel for real-time logout

5. Security Headers and Hardening

5.1 HTTP Security Headers

All responses include security headers via SetSecurityHeaders middleware:

HeaderValuePurpose
X-Frame-OptionsDENYClickjacking prevention
Strict-Transport-Securitymax-age=15724800; includeSubDomainsHTTPS enforcement
X-Content-Type-OptionsnosniffMIME sniffing prevention
Content-Security-PolicyStrict directiveXSS prevention

5.2 CSRF Protection

  • VerifyCsrfToken middleware validates tokens on state-changing requests
  • Tokens regenerated on authentication

5.3 Rate Limiting

  • Key: Request URL + Client IP
  • Enforcement: RateLimit middleware
  • Exclusions: Specific high-frequency polling endpoints

6. AI Security (LLM Endpoints)

6.1 Overview

AI/LLM endpoints have additional security layers to prevent prompt injection attacks.

6.2 Defense Layers

6.3 Security Controls

ControlImplementationAction
Suspicious header detectionAiSecurityMiddlewareLog + continue
Request size limit1MB maximumHTTP 413
Rate limiting10 req/min/IPHTTP 429
Prompt injection detectionPrismCustomInstructionsSanitize to [REDACTED]
Secure system instructionsExplicit override warningsInject into prompt

7. Audit Logging Architecture

7.1 Audited Events

Security-relevant events are captured via Laravel events:

EventTriggerData Captured
UserLoggedInSuccessful authenticationUser ID, timestamp
UserLoggedOutLogout actionUser ID, timestamp
UserAccountCreatedNew account creationUser ID, creator
UserAccountDeletedAccount deletionUser ID, deleter
UserAccountDisabledAccount disableUser ID, modifier
UserAccountEnabledAccount enableUser ID, modifier
UserAssociatedWithRoleRole changeUser ID, old/new role
PasswordChangedPassword modificationUser ID, timestamp

7.2 Audit Storage

Audit events are persisted to the audit log. See SDS: AUDIT Domain for storage and query details.

8. Data Protection

8.1 Encryption

LayerMechanism
In TransitTLS 1.2+ (HTTPS enforced via HSTS)
At RestAWS encryption (S3, RDS, DynamoDB)
CookiesLaravel cookie encryption (EncryptCookies)
PasswordsCognito-managed (not stored locally)

8.2 Sensitive Data Handling

  • Passport tokens stored in HTTP-only cookies (prevents XSS theft)
  • Session tokens regenerated on login (prevents fixation)
  • Password fields excluded from request trimming

9. Access Control Policies

9.1 Site-Based Access

When configured, users can only access data from sites they have been granted access to. Multi-site access is limited to Manager and Super Admin roles.

9.2 IP-Based Access

When block_unauthorized_ip is enabled:

  1. CheckIPMiddleware validates client IP against whitelist
  2. Requests from non-whitelisted IPs receive AuthorizationException
  3. /unauthorized path is exempt for error display

9.3 Cognito Group Enforcement

Sites can optionally require Cognito group membership for access. This adds IdP-level access control on top of application-level RBAC.

10. Implementation Mapping

Security ConcernCode Location
Authentication flowapp/Http/Controllers/Auth/HandleAuthenticated.php
Cognito integrationapp/Support/CognitoAuthenticator.php
User managementapp/CognitoUserManager.php
Role enforcementapp/Http/Middleware/UserType.php
Auth middlewareapp/Http/Middleware/Authenticate.php
IP whitelistapp/Http/Middleware/CheckIPMiddleware.php
Security headersapp/Http/Middleware/SetSecurityHeaders.php
AI securityapp/Http/Middleware/AiSecurityMiddleware.php
Prompt sanitizationapp/Support/PrismCustomInstructions.php
Auth guards configconfig/auth.php
Kernel middlewareapp/Http/Kernel.php
Auth service providerapp/Providers/AuthServiceProvider.php
DocumentRelevance
SRS: User ManagementRequirements this architecture implements
SDS: USERMGMT DomainDomain-specific user management design
SDS: AUDIT DomainAudit logging design
SDS: Configuration ReferenceSecurity-related configuration options
SDD: Security (Legacy)Predecessor document