Skip to main content

Security Architecture Document

Security Architecture Document

Project: Drop — Fintech Payment App (Remittance + QR Payments) Version: 1.0 Date: 2026-02-23 Author: ALAI Security Team Status: Draft Reviewers: CISO, CTO, DPO Classification: Confidential

Document History

Version Date Author Changes
0.1 2026-02-12 Security Agent (ALAI) Initial security audit
1.0 2026-02-23 Security Architect (ALAI) Architecture documentation

1. Security Architecture Overview

Security Owner: CISO (Alem Bašić / ALAI Holding AS) Last Security Review: 2026-02-12 (full audit); 2026-02-13 (hardening verification) Next Scheduled Review: 2027-02-12 (annual) or after Phase 2 integration (BankID, Open Banking) Compliance Targets: GDPR | PSD2 (Betalingstjenesteloven) | AML/Hvitvaskingsloven | DORA/IKT-forskriften | Finanstilsynet license

Architecture Model: Drop operates a PSD2 pass-through model. Drop never holds customer funds. AISP reads bank balances via Open Banking; PISP initiates payments directly from the user's bank account. Cards are a future feature, gated behind feature flags (all default to false).

Security Posture Summary (post-hardening 2026-02-13):

  • 0 Critical findings remaining (all 4 resolved)
  • 0 High findings remaining (all resolved)
  • 2 Medium findings remaining (CSP unsafe-inline, proxy X-Forwarded-For trust)
  • 4 Low findings acknowledged (out of scope for current MVP sprint)

Defense-in-Depth Overview

Internet
  → WAF (planned — Phase 2 infra hardening)
  → CDN / Edge TLS termination (planned)
  → Load Balancer (TLS 1.3)
  → Application Layer (Next.js — Next.js 16.1.6)
      ├── Rate Limiting (SQLite-backed, persistent)
      ├── Origin/CSRF validation
      ├── JWT auth + session revocation
      ├── RBAC (user / merchant roles)
      ├── Input validation + sanitization
      └── Parameterized SQL queries
  → Database Layer (SQLite — MVP; PostgreSQL planned Phase 2)
      └── Stored: bcrypt(password), session token hashes, masked card tokens

Monitoring: Sentry (error tracking) — SIEM planned Phase 3

2. Authentication Flows

2.1 Current MVP Authentication (Email + Password)

User → POST /api/auth/login {email, password}
     → Rate limit check (10 req/60s per IP — SQLite-backed)
     → SELECT user WHERE email = ?
     → bcrypt.verify(password, hash) [cost factor 12]
     → If valid: generate JWT (HS256, jose ^6.1.3, 24h expiry)
     → INSERT into sessions table (token_hash = SHA-256(token))
     → Set httpOnly cookie (secure:true, sameSite:strict, maxAge:24h)
     → Return 200

Source: src/drop-app/src/lib/auth.ts, src/drop-app/src/lib/middleware.ts

2.2 Session Lifecycle

Step Action Source
Login Session created, token_hash stored auth.ts:56-65
Each request Session checked for revocation middleware.ts:66-74
Logout All user sessions revoked server-side auth/logout/route.ts:5-14
Password change All sessions revoked Planned (Phase 2)

Session table schema:

Column Type Purpose
id TEXT PK ses_<hex16> format
user_id TEXT FK References users.id
token_hash TEXT SHA-256 of JWT token
expires_at TEXT Expiration timestamp
revoked INTEGER 0 = active, 1 = revoked

2.3 BankID OIDC Authentication (Phase 2 — Planned)

BankID is not yet integrated in the MVP codebase. Required for PSD2 SCA compliance before any live transactions. Planned integration:

User → Drop App → BankID OIDC (nivå høyt — eIDAS Level High)
     → BankID returns: name, fødselsnummer (national ID), verified identity
     → Drop validates: age >= 18 (from fødselsnummer), Norwegian residency
     → Dynamic linking for payment authorization (amount + payee bound to auth)

Regulatory requirement: PSD2 (Betalingstjenesteloven §§ 4-28, 4-29) requires SCA with two of three factors. BankID covers possession + knowledge. No live transactions without this.

Integration partner: TBD — BankID Norge AS (DPA required)

2.4 KYC Flow (Phase 2 — Planned via Sumsub)

Current state: Mock KYC with auto-approve (kyc_status field in users table). Production will use Sumsub:

User → Sumsub SDK → Document scan + liveness check
     → Sumsub webhook → Drop backend
     → Update users.kyc_status = 'approved'/'rejected'
     → Required for: remittance transactions

Source: legal/dpa-sumsub.md, legal/dpia-vurdering.md

3. Authorization Model

Model: RBAC (Role-Based Access Control) with resource-level user scoping

3.1 Roles

Role Description Access
user Standard registered user Own data only (transactions, recipients, notifications, settings)
merchant Merchant with QR payment dashboard Own data + merchant dashboard (/api/merchant/*)

KYC Status (enforced gate for financial operations):

Status Meaning Effect
pending Default on registration Cannot initiate remittance
approved KYC completed Full access to financial features
rejected KYC failed or blocked Blocked from all financial operations

3.2 Resource-Level Access Control (IDOR Prevention)

All data access queries include AND user_id = ? to scope data to the authenticated user. Applied to:

  • recipients — scoped to user
  • transactions — scoped to user
  • bank_accounts — scoped to user
  • notifications — scoped to user
  • settings — scoped to user
  • cards — scoped to user (future feature)

Merchant endpoints verify both merchant role and ownership.

Source: src/drop-app/src/app/api/ — all route handlers

3.3 Permission Summary

Resource user merchant Admin (TBD)
Own profile CRUD CRUD
Own transactions Read Read
Own recipients CRUD CRUD
Merchant dashboard Read
All users Admin only
AML reports Compliance only

4. Data Encryption

4.1 Encryption at Rest

Data Method Status
Database (SQLite) OS-level (filesystem) MVP — migrate to PostgreSQL Phase 2
Passwords bcrypt, cost factor 12 Implemented (bcryptjs ^3.0.3)
Session tokens SHA-256 hash stored (not plaintext) Implemented
JWT secret JWT_SECRET env var (fatal if missing in prod) Implemented
Fødselsnummer (national ID) AES-256-GCM application layer + HSM key Planned Phase 2
Card data Only last_four + token_ref stored (PAN/CVV never stored) Implemented (fix C1)
Bank account numbers Only last 4 digits in API responses Implemented

Note: Field-level encryption for PII (fødselsnummer) requires HSM-backed key management (planned Phase 2 with AWS KMS).

4.2 Encryption in Transit

Connection Protocol Status
User → Drop API HTTPS / TLS 1.3 Production requirement
Drop → BankID HTTPS / TLS 1.3 Phase 2
Drop → Sumsub HTTPS / TLS 1.3 Phase 2
Drop → Neonomics (PSD2) HTTPS / TLS 1.3 Phase 2
Drop → Swan HTTPS / TLS 1.3 Phase 2
Internal (service-to-service) mTLS Phase 3 (when microservices introduced)

4.3 Cookie Security Configuration

Source: src/drop-app/src/lib/auth.ts:48-54

Property Value Purpose
httpOnly true Prevents JavaScript access (XSS mitigation)
secure true (production) HTTPS-only transport
sameSite "strict" CSRF prevention
maxAge 86400 (24h) Session lifetime
path "/" Full site scope

5. Network Security

5.1 Current MVP Network Architecture

Internet → Next.js App (port 3000) → SQLite DB (local file)

Phase 2 target:

Internet
  → Cloudflare (DDoS + WAF)
  → AWS Load Balancer (TLS termination)
  → Private Subnet: Next.js App (ECS/Fargate)
  → Private Data Subnet: PostgreSQL (RDS)
  → External APIs: BankID, Sumsub, Neonomics, Swan (all HTTPS)

5.2 Security Groups (Phase 2 planned)

Source Destination Port Action
Internet Load Balancer 443 ALLOW
Internet Any 80 REDIRECT → 443
Load Balancer App servers 3000 ALLOW
App servers PostgreSQL 5432 ALLOW
App servers External APIs 443 ALLOW (allowlist)
Any Data Subnet Any DENY (default)

5.3 Rate Limiting

Source: src/drop-app/src/lib/middleware.ts:6-31

Endpoint Type Limit Window Implementation
Auth routes (login, register) 10 req 60 seconds SQLite-backed (persistent across restarts)
Transaction routes (remittance, qr-payment) 10 req 60 seconds SQLite-backed
Rate routes (/api/rates) 120 req 60 seconds SQLite-backed

Rate limit table: rate_limits — per-IP tracking via X-Forwarded-For header.

Known gap: X-Forwarded-For can be spoofed. Fix requires trusted proxy validation (planned Phase 2 with load balancer).

6. API Security

6.1 Input Validation

Source: src/drop-app/src/lib/middleware/validation.ts:149-203

All API inputs validated at controller level:

  • sanitizeText() — strips HTML tags, control characters, enforces max length
  • validateName() — rejects XSS payloads, script tags
  • validateEmail() — RFC format validation
  • validatePhone() — international format
  • validateAmount() — positive, finite, max 2 decimal places
  • validateIBAN() — format + checksum
  • validatePIN() — exactly 4 digits
  • validateCurrency() — whitelist: EUR, USD, GBP, BAM, CHF, PLN, NOK, RSD, TRY, PKR
  • validateLanguage() — whitelist: nb, en, bs, sq

Amount limits:

Endpoint Min Max
Remittance 100 NOK 50,000 NOK
QR Payment 1 NOK 100,000 NOK

6.2 SQL Injection Prevention

All 24 API endpoints use parameterized queries exclusively (? placeholders). No string concatenation in SQL.

Source: src/drop-app/src/app/api/ — all route handlers; verified in security audit 2026-02-12.

6.3 CSRF Protection

Origin header validation on all authenticated requests:

  • Validates Origin against: NEXT_PUBLIC_APP_URL, http://localhost:3000, http://localhost:3001
  • Combined with sameSite: "strict" cookies for defense-in-depth

Source: src/drop-app/src/lib/middleware.ts:44-55

6.4 Content Security Policy

Source: src/drop-app/next.config.ts:6-46

Content-Security-Policy:
  default-src 'self';
  script-src 'self' 'unsafe-inline' 'unsafe-eval';
  style-src 'self' 'unsafe-inline';
  img-src 'self' data: https:;
  font-src 'self';
  frame-ancestors 'none';

Known limitation (Medium severity): unsafe-inline and unsafe-eval required for Next.js dev mode. Production should use nonce-based CSP. Planned Phase 2.

7. OWASP Top 10 Mitigation Matrix

OWASP Risk Mitigation Implementation Status
A01: Broken Access Control RBAC + AND user_id = ? on all queries All 24 API endpoints Implemented
A02: Cryptographic Failures bcrypt cost 12, JWT HS256, HTTPS TLS 1.3, httpOnly cookies auth.ts, utils-server.ts, next.config.ts Implemented
A03: Injection Parameterized queries exclusively (no string SQL concat) All API routes Implemented
A04: Insecure Design Pass-through model (no fund custody), feature flags for cards Architecture, feature-flags.ts Implemented
A05: Security Misconfiguration Security headers, demo credentials gated (NODE_ENV !== 'production') next.config.ts, db.ts Implemented
A06: Vulnerable Components All deps recent, no known CVEs (audit 2026-02-12) package.json Implemented
A07: Auth Failures bcrypt hashing, session revocation, rate limiting, no SHA-256 legacy auth.ts, middleware.ts, utils-server.ts Implemented
A08: Software Integrity TBD — signed commits planned Phase 3 Planned
A09: Logging Failures Sentry (error tracking) — audit log table planned Phase 3 MVP: Sentry Partial
A10: SSRF Pass-through model limits outbound surface; allowlist planned Phase 2 Architecture Partial

8. Security Headers Checklist

Source: src/drop-app/next.config.ts

Header Value Status
Strict-Transport-Security max-age=63072000; includeSubDomains; preload Implemented (fix M2)
Content-Security-Policy See §6.4 Partial — unsafe-inline remaining
X-Content-Type-Options nosniff Implemented
X-Frame-Options DENY Implemented
Referrer-Policy strict-origin-when-cross-origin Implemented
Permissions-Policy camera=(self), microphone=(), geolocation=(self) Implemented
Cache-Control (auth responses) no-store TBD — Phase 2

9. Dependency Vulnerability Management

Last dependency review: 2026-02-12 (security audit)

Package Version Risk Assessment
jose ^6.1.3 Low — Well-maintained JWT library
bcryptjs ^3.0.3 Low — Pure JS bcrypt
better-sqlite3 ^12.6.2 Low — Parameterized queries
next 16.1.6 Low — Recent version
react 19.2.3 Low — Latest major
radix-ui ^1.4.3 Low — UI components only

Remediation SLAs:

Severity SLA
Critical (CVSS ≥ 9.0) 24 hours
High (CVSS 7.0-8.9) 7 days
Medium (CVSS 4.0-6.9) 30 days
Low (CVSS < 4.0) 90 days

Planned: Dependabot + Snyk integration in CI/CD pipeline (Phase 3).

10. Security Logging & Audit Trail

Current (MVP): Sentry for error tracking. No structured audit log table.

Planned (Phase 3): Audit log table + SIEM integration.

Event Planned Logging Alert?
Login success user_id, ip, user_agent, timestamp No
Login failure ip, email_hash, attempt_count, timestamp Yes (> 5 failures)
Session revocation user_id, timestamp, reason Yes
Transaction initiated user_id, amount, currency, corridor, timestamp No
KYC status change user_id, old_status, new_status, timestamp Yes
AML flag triggered user_id, rule, transaction_id, timestamp Yes
Password change user_id, ip, timestamp Yes

AML transaction monitoring thresholds (from legal/hvitvaskingsrutiner.md):

  • Single transaction > NOK 50,000 → manual review
  • Daily cumulative > NOK 100,000 → manual review
  • Monthly cumulative > NOK 500,000 → EDD assessment
  • Structuring patterns → automatic flag

11. Integration Security

Third-Party Services (Phase 2)

Service Purpose Auth Method Data Shared DPA
BankID Norge AS SCA + Identity verification OIDC Name, fødselsnummer Required
Sumsub KYC/AML document verification API key + webhook HMAC ID documents, liveness data Signed (legal/dpa-sumsub.md)
Swan Banking / payment rails OAuth 2.0 Transaction data Signed (legal/dpa-swan.md)
Neonomics PSD2 AISP/PISP (Open Banking) OAuth 2.0 (PSD2) Bank account data, payment initiation Required
Sentry Error monitoring DSN Stack traces, user IDs Signed (legal/dpa-sentry.md)
AWS Infrastructure IAM roles + KMS Infrastructure only AWS DPA

Approval

Role Name Date Signature
Author ALAI Security Team 2026-02-23
CISO / Security Lead TBD — requires appointment
DPO TBD — requires appointment
CTO Alem Bašić
Back to top