Security Features

Comprehensive documentation of security mechanisms in the Huh platform.

Security Standards: This platform follows industry best practices and aligns with the OWASP Top 10 web application security risks. For more information on web application security, refer to the OWASP Foundation.

Authentication & Authorization

JWT Authentication

• Token-Based: Stateless JWT tokens for API authentication
• Token Expiration: Configurable expiration time
• Role Claims: User roles embedded in JWT tokens
• Stateless Sessions: No server-side session storage

Password Security

• BCrypt Hashing: Passwords hashed using BCryptPasswordEncoder (see OWASP Password Storage Cheat Sheet)
• No Plaintext Storage: Passwords never stored in plaintext
• Secure Random: Cryptographically secure random token generation

User Roles

• ROLE_USER: Standard user with basic permissions
• ROLE_ADMIN: Administrator with full system access
• Role-Based Access Control: Endpoints protected by role requirements

Access Control List (ACL)

Permission Model

• Granular Permissions: READ (1), WRITE (2), CREATE (4), DELETE (8), ADMIN (16)
• Bit Masking: Integer bit masks for efficient permission storage
• Permission Inheritance: WRITE permission implies READ access

ACL Features

• User Permissions: Grant permissions to specific users
• Role Permissions: Grant permissions to roles (e.g., all admins)
• Owner Management: Automatic ownership assignment and management
• Admin Override: ROLE_ADMIN always has full access to all resources
• MongoDB Storage: ACL entries stored in MongoDB collections

ACL Implementation

• AclEntry: Individual permission entries
• AclObjectIdentity: Domain object identity mapping
• AclSid: Security identity (users and roles)
• Permission Checking: Runtime permission verification on all protected resources

User Invite-Only Function

Registration Control

• Instance Setting: Administrators can disable public registration
• Invite-Only Mode: When disabled, only invited users can register
• Secure Tokens: Invitation tokens generated using secure random
• Token Expiration: Invitation tokens expire after 7 days
• One-Time Use: Tokens marked as used after acceptance

Invitation Flow

1. Admin sends invitation via email
2. User receives email with secure token link
3. User accepts invitation, sets username and password
4. Account automatically approved (invited users bypass approval queue)
5. Token invalidated after use

Video Security

Authentication Mechanism

• No Direct Access: Videos cannot be accessed without authentication
• Token-Based Access: Short-lived tokens (10 minutes) required for video streaming
• HTTP-Only Cookies: Video access tokens delivered via HTTP-only cookies
• Cookie Security: Cookies set with httpOnly, sameSite=Lax, and path restrictions
• Token Validation: Tokens validated on each video request

Download Protection

• No Direct Downloads: Videos are not directly downloadable via URL
• Streaming Only: Videos served via authenticated streaming endpoint
• Range Request Support: HTTP Range requests supported for seeking
• Token Verification: Each request validates token and transcription ID match

Video Deletion

Deletion Features

• Manual Deletion: Users with DELETE permission can delete transcriptions
• Automatic Cleanup: Scheduled deletion based on deleteAt timestamp
• File Cleanup: Video files deleted from MinIO storage on transcription deletion
• ACL Cleanup: ACL entries automatically removed when transcription deleted
• Database Cleanup: Transcription records removed from MongoDB

Deletion Warnings

• Email Notifications: Owners receive warnings before scheduled deletion
• Configurable Timing: Warnings sent at configurable intervals before deletion
• Multi-Owner Support: All owners receive deletion warnings

Data Privacy & Local Processing

Local Services Only

• No External APIs: All transcription and translation services run locally on the server
• No Data Transmission: Audio/video files and transcriptions never leave your server
• Complete Privacy: All processing happens within your infrastructure
• Self-Hosted Transcription: Uses local Whisper-based transcription service
• Self-Hosted Translation: Uses local LibreTranslate instance for translations

Privacy Guarantees

• Zero External Sharing: No data is sent to third-party services or cloud providers
• On-Premises Processing: All AI/ML processing occurs on your own hardware
• Data Sovereignty: You maintain complete control over all data at all times
• Compliance Ready: Suitable for environments with strict data privacy requirements

Spring Boot Security Features

Security Configuration

• CSRF Protection: Disabled for API (using stateless JWT authentication)
• CORS Configuration: Configurable cross-origin resource sharing
• Stateless Sessions: SessionCreationPolicy.STATELESS for JWT-based auth
• Method Security: @EnableMethodSecurity for method-level authorization
• Filter Chain: Custom JWT and API key authentication filters

Security Filters

• JwtAuthenticationFilter: Validates JWT tokens from Authorization header
• ApiKeyAuthenticationFilter: Optional API key authentication for service-to-service
• Filter Ordering: Filters applied before standard Spring Security filters

Endpoint Protection

• Public Endpoints: /api/auth/**, /actuator/**, /ws/**, OPTIONS requests
• Authenticated Endpoints: Most API endpoints require authentication
• Admin-Only Endpoints: /api/users/**, /api/instance-settings/** require ROLE_ADMIN
• Video Endpoints: Cookie-based authentication handled in controller

Additional Security

• Input Validation: Jakarta Validation annotations on request models (see OWASP Input Validation Cheat Sheet)
• SQL Injection Prevention: MongoDB queries use parameterized queries via Spring Data (see OWASP SQL Injection Prevention Cheat Sheet)
• XSS Protection: Frontend Angular sanitization and Content Security Policy (see OWASP XSS Prevention Cheat Sheet)
• Secure Headers: Spring Security default security headers (see OWASP Secure Headers Project)
• Error Handling: Generic error messages to prevent information leakage

Security Best Practices

1. Never Log Passwords: Passwords never logged or exposed in error messages
2. Token Expiration: Short-lived tokens for sensitive operations (see OWASP Session Management Cheat Sheet)
3. Email Enumeration Prevention: Generic messages for password reset requests
4. Secure Random: Cryptographically secure random for all tokens
5. HTTP-Only Cookies: Prevents JavaScript access to authentication cookies (see OWASP Cookie Security)
6. Role-Based Access: Fine-grained access control at endpoint and resource levels (see OWASP Access Control Cheat Sheet)
7. ACL Verification: Permission checks on every resource access
8. Admin Approval: New users require admin approval before system access

Additional Resources

• OWASP Top 10 - Most critical web application security risks
• OWASP Cheat Sheet Series - Comprehensive security guidance
• Spring Security Documentation - Spring Boot security framework
• JWT Best Practices - JSON Web Token security considerations