-
-
Notifications
You must be signed in to change notification settings - Fork 0
Authentication and Roles
The Research Platform uses NextAuth.js for authentication, providing a secure, flexible authentication system with JWT-based sessions.
-
User submits credentials via login form (
/auth/login) - NextAuth credentials provider validates input
- Database lookup for user by email
- Password verification using bcrypt comparison
- Account status check (user must be active)
- Login log creation (successful or failed attempt recorded)
- JWT token generation with user ID and role
- Session cookie set (HTTP-only, secure in production)
- Redirect to dashboard
Session Type: JWT (JSON Web Token)
Benefits:
- Stateless authentication (no database session storage)
- Scalable across multiple server instances
- Fast authentication checks
- Built-in expiration handling
Session Storage:
- Stored in HTTP-only cookie
- Secure flag enabled in production
- SameSite protection against CSRF
Session Data:
{
id: string, // User ID
email: string, // User email
name: string, // Full name
role: UserRole // User role
}Hashing Algorithm: bcrypt
Configuration:
- 10 rounds (security/performance balance)
- Salt automatically generated
- One-way hashing (passwords cannot be recovered)
Password Requirements:
- Currently: No enforced complexity (can be enhanced)
- Stored as hash in database
- Never transmitted or logged in plain text
All login attempts are logged in the LoginLog table:
Logged Information:
- User ID
- IP address
- User agent (browser/device)
- Success/failure status
- Timestamp
Use Cases:
- Security auditing
- Suspicious activity detection
- User activity tracking
- Failed login monitoring
The platform defines 15 predefined roles covering all organizational functions:
Responsibilities:
- Overall scientific oversight
- Research strategy and planning
- Publication approval
- Scientific data validation
Access Level: Full access to all modules Special Permissions: Publication approval, data validation
Responsibilities:
- Financial management
- Budget approval
- Administrative oversight
- HR management
Access Level: Full access to administrative modules Special Permissions: Budget approval, financial reports
Responsibilities:
- Flora cataloging and research
- Plant species identification
- Botanical field work
- Flora data management
Access Level: Full access to Species module (flora), Missions, Documents Special Permissions: Create/edit flora species, validate observations
Responsibilities:
- Terrestrial fauna research
- Animal species identification
- Field observations
- Fauna data management
Access Level: Full access to Species module (terrestrial fauna), Missions, Documents Special Permissions: Create/edit terrestrial fauna species
Responsibilities:
- Marine species research
- Marine ecosystem studies
- Underwater observations
- Marine data management
Access Level: Full access to Species module (marine), Missions, Documents Special Permissions: Create/edit marine species, access marine data
Responsibilities:
- Freshwater ecosystem research
- Water quality analysis
- Aquatic species studies
- Hydrobiological data management
Access Level: Full access to Species module (freshwater), Environmental Data (water), Missions Special Permissions: Water quality data entry and analysis
Responsibilities:
- Geological research
- Soil analysis
- Geological data collection
- Geology data management
Access Level: Full access to Environmental Data (geology), Missions, Documents Special Permissions: Geology data entry and validation
Responsibilities:
- Climate data analysis
- Weather pattern studies
- Climate research
- Climate data management
Access Level: Full access to Environmental Data (climate), Missions, Documents Special Permissions: Climate data entry and analysis
Responsibilities:
- GIS data management
- Spatial analysis
- Data visualization
- Map layer management
- Data analytics
Access Level: Full access to GIS, Analytics, all data modules Special Permissions: Map layer creation, advanced analytics, data export
Responsibilities:
- System maintenance
- Technical support
- Platform administration
- Infrastructure management
Access Level: Technical modules, system configuration Special Permissions: System settings, technical configurations
Responsibilities:
- Laboratory operations
- Sample analysis
- Equipment maintenance
- Lab data entry
Access Level: Equipment (lab), Environmental Data, Documents Special Permissions: Lab equipment management, sample data entry
Responsibilities:
- Field data collection
- Equipment operation
- Mission support
- Field observations
Access Level: Missions, Equipment, Species (observations), Environmental Data Special Permissions: Field data entry, equipment operation
Responsibilities:
- Boat operation
- Marine missions
- Marine equipment
- Safety operations
Access Level: Missions (marine), Equipment (boats), Documents Special Permissions: Marine mission management, boat equipment
Responsibilities:
- Equipment logistics
- Mission preparation
- Inventory management
- Supply chain
Access Level: Equipment, Missions, Documents Special Permissions: Equipment assignment, logistics planning
Responsibilities:
- Publication editing
- Content creation
- Communication materials
- Document formatting
Access Level: Publications, Documents, limited data viewing Special Permissions: Publication editing, content creation
The platform uses a granular permission system with 5 permission levels:
- View data and records
- Read-only access
- Cannot modify or delete
- Create new records
- Edit existing records (owned or permitted)
- Cannot delete or validate
- Approve or validate data
- Quality control
- Data verification
- Typically for scientific validation
- Remove records
- Archive data
- Requires careful consideration
- Full administrative access
- All permissions
- System configuration
- User management
By Role: Default permissions assigned based on role
By Module: Permissions can be customized per module:
- Users
- HR
- Finance
- Equipment
- Missions
- Species
- Environmental Data
- GIS
- Documents
- Publications
By User: Individual users can have custom permissions via UserPermission table
Server-Side:
import { requireAuth, requireAdmin } from "@/lib/permissions"
// Check authentication
const session = await requireAuth()
// Check admin role
const adminSession = await requireAdmin()
// Check resource access
const canAccess = await canAccessResource(resourceOwnerId)Client-Side:
- Session data available in components
- Role-based UI rendering
- Conditional feature display
- Password Hashing: bcrypt with 10 rounds
- Session Security: HTTP-only cookies, secure flag
- CSRF Protection: NextAuth.js built-in protection
- Login Logging: All attempts logged
- Account Status: Inactive accounts cannot login
- Route Protection: All API routes validate session
- Page Protection: Server components check authentication
- Role-Based Access: UI and functionality based on role
- Permission Checks: Granular permissions per module
- Resource Ownership: Users can access their own resources
- Input Validation: Zod schemas validate all inputs
- SQL Injection Prevention: Prisma parameterized queries
- XSS Prevention: React automatic escaping
- Audit Logging: All critical actions logged
After database seeding:
Admin Account:
- Email:
admin@research-platform.ma - Password:
admin123 - Role:
DIRECTEUR_SCIENTIFIQUE
Location: src/lib/auth.ts
Key Settings:
- Provider: Credentials (email/password)
- Session strategy: JWT
- Pages: Custom login page (
/auth/login) - Secret: From
NEXTAUTH_SECRETenvironment variable
Required in .env:
NEXTAUTH_URL="http://localhost:3000" # Development URL
NEXTAUTH_SECRET="your-secret-key" # Generate with: openssl rand -base64 32The platform supports role-based dashboard customization:
Implemented Roles:
- DIRECTEUR_SCIENTIFIQUE
- DIRECTEUR_ADMINISTRATIF_FINANCIER
- BOTANISTE
- ZOOLOGISTE_TERRESTRE
- BIOLOGISTE_MARIN
- DATA_SCIENTIST_SIG
- TECHNICIEN_TERRAIN
Dashboard Customization:
- Role-specific KPIs
- Relevant data visualizations
- Quick access to role-specific features
- Customized activity feeds
Implementation: src/components/dashboard/role-dashboard.tsx
Function: isAdminRole(role: string)
Admin Roles:
DIRECTEUR_SCIENTIFIQUEDIRECTEUR_ADMINISTRATIF_FINANCIER
Admin Capabilities:
- User management (create, edit, delete)
- System configuration
- Full data access
- Permission management
- Audit log access
Location: src/lib/permissions.ts
Functions:
-
isAdmin(): Check if current user is admin -
requireAdmin(): Require admin access (throws if not admin) -
canAccessResource(): Check resource access -
requireAuth(): Require authentication
Table: LoginLog
Tracked Information:
- User ID
- IP address
- User agent
- Success/failure
- Timestamp
Use Cases:
- Security monitoring
- Failed login detection
- User activity tracking
Table: AuditLog
Tracked Actions:
- CREATE, UPDATE, DELETE operations
- Entity type and ID
- User who performed action
- Changes made (JSON)
- IP address and user agent
- Timestamp
Coverage: All critical operations across all modules
- Always check authentication before accessing protected resources
-
Use permission utilities from
@/lib/permissions - Validate user permissions on both client and server
- Log security-relevant actions in AuditLog
- Never trust client-side permission checks alone
- Regularly review login logs for suspicious activity
- Monitor audit logs for unauthorized actions
- Keep roles and permissions up to date
- Deactivate unused accounts promptly
- Use strong passwords and encourage users to do the same
- Use strong, unique passwords
- Never share credentials
- Log out when finished
- Report suspicious activity immediately
- Keep contact information up to date
- Two-Factor Authentication (2FA): Additional security layer
- Password Complexity Requirements: Enforced password rules
- Session Management UI: Users can view/revoke sessions
- Role Templates: Pre-configured permission sets
- OAuth Integration: Social login options
- LDAP/Active Directory: Enterprise authentication
- API Key Authentication: For programmatic access
- Rate Limiting: Prevent brute force attacks
- Account Lockout: After failed login attempts
- Password Expiration: Periodic password changes
- Security Notifications: Email alerts for security events
- IP Whitelisting: Restrict access by IP (optional)
The authentication and role system provides a secure, flexible foundation for access control while maintaining ease of use for end users.
Last Updated: January 2025