284313f908
Some checks are pending
Bidi Control Character Guard / bidi-control-guard (push) Waiting to run
Circular Dependency Check / Check for new circular dependencies (push) Waiting to run
Citus Migration Smoke / Combined migrations on single-node Citus (push) Waiting to run
E2E Fresh Install Tests / fresh-install-e2e (push) Waiting to run
ext-v2 guardrails / Run ext-v2 guard and ESLint (push) Waiting to run
Integration Tests / Check for relevant changes (push) Waiting to run
Integration Tests / ${{ (github.event_name == 'schedule' || github.event.inputs.suite == 'full') && 'Full integration suite' || 'Tier-1 integration subset' }} (push) Blocked by required conditions
Mobile checks / Mobile lint + typecheck (push) Waiting to run
Mobile checks / Mobile unit tests (push) Waiting to run
Mobile checks / Mobile dependency audit (report) (push) Waiting to run
Mobile checks / Mobile reproducibility checks (push) Waiting to run
Secrets guard (env backups) / Ensure no tracked env backup files (push) Waiting to run
Temporal Readiness / fast-readiness (push) Waiting to run
Temporal Readiness / docker-parity (push) Waiting to run
TypeScript Type Check / Nx affected typecheck (push) Waiting to run
Unit Tests / Skipped-test budget (push) Waiting to run
Unit Tests / Nx affected unit tests (push) Waiting to run
Unit Tests / Server unit coverage (informational) (push) Waiting to run
Validate Tenant Management Schema / Check for relevant changes (push) Waiting to run
Validate Tenant Management Schema / Validate Tenant Management Schema (push) Blocked by required conditions
EE Workflows Build Guard / ee-workflows-build-guard (push) Waiting to run
Excluded: .git, node_modules, secrets/, compose.env, assemblyscript tgz Source: /opt/alga-psa on psa.joliet.tech
40 lines
1.4 KiB
Markdown
40 lines
1.4 KiB
Markdown
# Mobile Security Review (Pre-release)
|
|
|
|
Date: `2026-02-03`
|
|
Scope: Mobile Ticketing MVP + mobile auth endpoints
|
|
|
|
## Checklist
|
|
|
|
### Authentication & session handling
|
|
|
|
- [x] Uses system browser for SSO (no embedded webview credential entry).
|
|
- [x] Uses short-lived access token + refresh token rotation for mobile API access.
|
|
- [x] Stores secrets in OS secure storage (Keychain/Keystore via `expo-secure-store`).
|
|
- [x] Supports server-side logout (refresh token revocation + access token deactivation).
|
|
|
|
### Token safety / leakage prevention
|
|
|
|
- [x] Logging redacts tokens and other secrets (`authorization`, refresh/access tokens, OTT, state).
|
|
- [x] Crash/error reporting omits HTTP bodies by default.
|
|
- [x] Clipboard helper redacts sensitive values by default.
|
|
|
|
### Deep links / redirects
|
|
|
|
- [x] Deep link handler validates allowed schemes/prefixes and rejects unexpected paths.
|
|
- [x] OTT exchange validates `state` and enforces single-use + short TTL.
|
|
- [x] OTT is bound to the web session id to prevent cross-session replay.
|
|
|
|
### Authorization / RBAC
|
|
|
|
- [x] Mobile API calls use server-side permission checks (no client-side bypass).
|
|
- [x] 403/no-access UX is explicit to avoid confusing failures.
|
|
|
|
### Rate limiting / abuse
|
|
|
|
- [x] OTT issue/exchange/refresh are rate limited (per IP and per user).
|
|
|
|
## Follow-ups
|
|
|
|
- Re-run this checklist before external beta if auth flows or token storage change.
|
|
|