Authentication & Authorization

This article explains the authentication and authorization system used in Kantinator.

Overview

Kantinator uses JWT (JSON Web Token) based authentication with refresh tokens for secure API access.

Authentication Flow

1. Login: User submits credentials to POST /api/auth/login
2. Token Issuance: Server validates credentials and returns:
   • Access token (short-lived JWT)
   • Refresh token (long-lived, stored in database)
3. API Requests: Client includes access token in Authorization header
4. Token Refresh: When access token expires, use refresh token to get new tokens

Services

IAuthService / AuthService

Handles user authentication logic:

• Validates user credentials
• Issues JWT tokens
• Manages user sessions

See: IAuthService | AuthService

ITokenService / TokenService

Responsible for JWT token generation and validation:

• Creates access tokens with user claims
• Validates token signatures
• Extracts user information from tokens

See: ITokenService | TokenService

IRefreshtokenService / RefreshtokenService

Manages refresh token lifecycle:

• Issues new refresh tokens
• Validates existing refresh tokens
• Handles token rotation
• Detects token reuse attacks

See: IRefreshtokenService | RefreshtokenService

IHashService / HashService

Provides secure password hashing:

• Uses modern hashing algorithms
• Salted password storage
• Verification of password hashes

See: IHashService | HashService

Authorization

Roles

Users are assigned roles that determine their permissions:

• Admin: Full system access
• Manager: Can manage menus and orders
• User: Basic access to view menus and place orders

Permissions

Fine-grained permissions control specific actions:

• Menu management
• User management
• Order management
• System configuration

Security Features

• Refresh Token Rotation: New refresh token issued with each refresh
• Token Reuse Detection: System detects and prevents token replay attacks
• Secure Password Storage: Passwords are hashed and salted
• Short-lived Access Tokens: Reduces exposure window if token is compromised

Exception Handling

The system includes custom exceptions for security events:

• RefreshTokenExpiredException: Token has expired
• RefreshtokenAttackException: Potential token reuse attack detected

Best Practices

1. Store tokens securely on the client side
2. Use HTTPS for all API communication
3. Refresh tokens proactively before they expire
4. Handle 401 responses by redirecting to login
5. Never log sensitive token data