Research: JWT authentication selected
- Comprehensive JWT research completed - JWT with refresh tokens selected (9.5/10 score) - Token revocation strategies (blacklist + versioning) - Refresh token pattern (token rotation) - Zero-knowledge password recovery integration - Family member access control (permissions in JWT) Key decisions: - Access tokens: 15 minutes (short-lived) - Refresh tokens: 30 days (long-lived, stored in MongoDB) - Token rotation: Prevents reuse of stolen tokens - Token versioning: Invalidate all tokens on password change - Recovery phrases: Zero-knowledge password recovery from encryption.md - Family permissions: parent, child, elderly roles Updated tech stack decisions Next: Database schema design (MongoDB collections)
This commit is contained in:
goose
parent
195ba2ec4e
commit
203c0b4331
3 changed files with 1560 additions and 26 deletions
|
|
@ -74,12 +74,35 @@
|
|||
|
||||
---
|
||||
|
||||
### 5. Authentication: JWT with Refresh Tokens
|
||||
**Decision**: JWT (JSON Web Tokens) with Refresh Tokens + Recovery Phrases
|
||||
|
||||
**Score**: 9.5/10
|
||||
|
||||
**Rationale**:
|
||||
- **Stateless design**: Scales to 1000+ concurrent connections (no session storage)
|
||||
- **Mobile-friendly**: Works perfectly with React Native (AsyncStorage)
|
||||
- **Zero-knowledge compatible**: Integrates with recovery phrases from encryption.md
|
||||
- **Token revocation**: Refresh token blacklist (MongoDB) + token versioning
|
||||
- **Token rotation**: Prevents reuse of stolen refresh tokens
|
||||
- **Family access control**: Permissions in JWT claims (parent, child, elderly)
|
||||
- **Security best practices**: Short-lived access tokens (15 min), long-lived refresh tokens (30 days)
|
||||
|
||||
**Trade-offs**:
|
||||
- Revocation requires storage (MongoDB for refresh tokens, optional Redis for access tokens)
|
||||
- More complex than sessions (but better for scaling)
|
||||
|
||||
**Reference**: [2026-02-14-jwt-authentication-research.md](./2026-02-14-jwt-authentication-research.md)
|
||||
|
||||
---
|
||||
|
||||
## Technology Stack Summary
|
||||
|
||||
### Backend
|
||||
- **Framework**: Axum 0.7.x
|
||||
- **Runtime**: Tokio 1.x
|
||||
- **Middleware**: Tower, Tower-HTTP
|
||||
- **Authentication**: JWT with refresh tokens
|
||||
- **Database**: MongoDB (with zero-knowledge encryption)
|
||||
- **Language**: Rust
|
||||
|
||||
|
|
@ -88,6 +111,7 @@
|
|||
- **Language**: TypeScript
|
||||
- **State Management**: Redux Toolkit 2.x
|
||||
- **Data Fetching**: RTK Query 2.x
|
||||
- **Authentication**: JWT with AsyncStorage
|
||||
- **Navigation**: React Navigation
|
||||
- **Health Sensors**:
|
||||
- react-native-health (iOS HealthKit)
|
||||
|
|
@ -102,6 +126,7 @@
|
|||
- **Language**: TypeScript
|
||||
- **State Management**: Redux Toolkit 2.x
|
||||
- **Data Fetching**: RTK Query 2.x
|
||||
- **Authentication**: JWT with localStorage (or httpOnly cookies)
|
||||
- **Routing**: React Router
|
||||
- **Charts**: Recharts
|
||||
- **Persistence**: Redux Persist 6.x (localStorage)
|
||||
|
|
@ -122,23 +147,7 @@
|
|||
|
||||
## Still To Be Decided
|
||||
|
||||
### 1. Authentication Strategy (Priority: High)
|
||||
|
||||
**Options**:
|
||||
- JWT (stateless, scalable)
|
||||
- Session-based (traditional, easier revocation)
|
||||
- Passkey/WebAuthn (passwordless, modern)
|
||||
|
||||
**Considerations for Normogen**:
|
||||
- Zero-knowledge password recovery (from encryption.md)
|
||||
- Token revocation strategy
|
||||
- Multi-factor authentication (future)
|
||||
- Integration with client-side encryption keys
|
||||
- Family member access control
|
||||
|
||||
---
|
||||
|
||||
### 2. Database Schema (Priority: High)
|
||||
### 1. Database Schema (Priority: High)
|
||||
|
||||
**Collections to Design**:
|
||||
- Users (authentication, profiles)
|
||||
|
|
@ -148,6 +157,16 @@
|
|||
- Medications (encrypted medication data)
|
||||
- Appointments (encrypted appointment data)
|
||||
- Shared Links (time-limited access tokens)
|
||||
- Refresh Tokens (JWT refresh token storage)
|
||||
|
||||
---
|
||||
|
||||
### 2. API Architecture (Priority: Medium)
|
||||
|
||||
**Options**:
|
||||
- REST (current plan)
|
||||
- GraphQL (alternative)
|
||||
- gRPC (for microservices)
|
||||
|
||||
---
|
||||
|
||||
|
|
@ -156,8 +175,8 @@
|
|||
1. Rust Framework: Axum (COMPLETED)
|
||||
2. Mobile/Web Framework: React Native + React (COMPLETED)
|
||||
3. State Management: Redux Toolkit 2.x (COMPLETED)
|
||||
4. Authentication: JWT with recovery phrase
|
||||
5. Database Schema: Design MongoDB collections
|
||||
4. Authentication: JWT with refresh tokens (COMPLETED)
|
||||
5. Database Schema: Design MongoDB collections (NEXT)
|
||||
6. Create POC: Health sensor integration test
|
||||
7. Implement Core Features: Authentication, encryption, CRUD
|
||||
|
||||
|
|
@ -165,13 +184,14 @@
|
|||
|
||||
## Next Research Priority
|
||||
|
||||
**Research Question**: How to implement zero-knowledge authentication with JWT and recovery phrase support?
|
||||
**Research Question**: What should the MongoDB schema look like for Normogen's encrypted health data platform?
|
||||
|
||||
**Considerations**:
|
||||
- Zero-knowledge password recovery (from encryption.md)
|
||||
- Token revocation strategy
|
||||
- Multi-factor authentication (future)
|
||||
- Integration with client-side encryption keys
|
||||
- Family member access control
|
||||
- Zero-knowledge encryption (all sensitive data encrypted)
|
||||
- Family structure (parents, children, elderly)
|
||||
- Health data types (lab results, medications, appointments)
|
||||
- Refresh tokens (JWT storage)
|
||||
- Shared links (time-limited access)
|
||||
- Permissions (family member access control)
|
||||
|
||||
**Estimated Research Time**: 2-3 hours
|
||||
**Estimated Research Time**: 3-4 hours
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue