Skip to content

ADR #0022: Scaffolding Service Authentication and Multi-User Security #526

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 2 commits into
base: main
Choose a base branch
from
Open

ADR #0022: Scaffolding Service Authentication and Multi-User Security #526

Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
53cc8d6
initial ADR 0022
AlexLgn Aug 12, 2025
7697937
Add advice and relationships
AlexLgn Aug 14, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
163 changes: 163 additions & 0 deletions docs/ADR/0022-scaffolding-authentication.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,163 @@
# ADR_0022: Scaffolding Service Authentication and Multi-User Security

## Date

Decision date: 2025-07-28
Last status update: 2025-08-14

## Status

- [x] Proposed
- [ ] Accepted
- [ ] Deprecated
- [ ] Superseded

### Implementation Status

- [ ] Planned
- [ ] In Development
- [ ] Implemented
- [ ] Verified
- [ ] Discontinued

## People

### Author/Decision Owner (Single Point of Accountability)
Denis Pisarev

### Consulted (Subject Matter Experts)
- Alisher Khassanov
- Andreea Eftene
- Sviatoslav Alekseev

### Informed (Affected Parties)
[People/teams affected by this decision who should be aware]

- [ ] [Person 1]
- [ ] [Person 2]
- [ ] [Person 3]

## Decision

We will implement GitHub OAuth authentication with JWT session tokens, project ownership isolation, GitHub App integration, and secure repository permissions for all user authentication, session management, data isolation, and GitHub repository operations.

## Context

The dApp composer requires secure multi-user authentication and project management capabilities while maintaining seamless integration with developer workflows. The system must provide user authentication, project ownership, and GitHub repository management.

Key requirements from case:
- GitHub integration for repository management per case interfaces
- Project ownership isolation ensuring users can only access their own projects
- Secure GitHub App integration with OAuth authentication per case acceptance criteria
- Repository creation with appropriate template and permissions per case acceptance criteria
- Support for 10,000+ projects requiring scalable user data management per case quality attributes
- GitHub API integration for automated repository creation and webhook integration per case agent requirements

User authentication requirements:
- Web2/Web3 developers need seamless authentication using existing GitHub accounts
- QF Ecosystem Team requires user analytics and project tracking capabilities
- GitHub Integration System needs OAuth authentication and GitHub App API access
- Repository creation must succeed >99% of attempts per case acceptance criteria
- Developer GitHub permissions must be correctly configured per case acceptance criteria

Technical considerations from case:
- Secure GitHub App with project isolation per case quality attributes
- No sensitive data persistence per case quality attributes
- GitHub API availability and rate limits per case dependencies
- Authentication service reliability per case dependencies
- Stateless session management for scalability
- Integration with existing GitHub developer workflows

## Options

1. GitHub OAuth + JWT + Project Isolation + GitHub App (SELECTED)
2. Custom Authentication + Database Sessions + Manual GitHub Integration
3. Third-party Auth + API Keys + Direct GitHub API

## Consequences

### Option 1: GitHub OAuth + JWT + Project Isolation + GitHub App (SELECTED)

**Selected because:**
GitHub OAuth leverages existing developer accounts eliminating registration friction for Web2/Web3 developers, JWT session tokens provide stateless authentication supporting 10,000+ projects scalability requirement, project ownership isolation ensures strict data separation between users meeting security requirements, GitHub App integration enables automated repository creation with proper permissions per case acceptance criteria, OAuth authentication provides secure API access for repository management and webhook integration, seamless developer workflow integration reduces adoption barriers and supports case value proposition of reducing setup time from weeks to minutes

**Selected despite:**
GitHub dependency creates single point of failure if GitHub services unavailable, OAuth flow complexity may confuse users unfamiliar with authentication processes, JWT token management requires careful security implementation and refresh logic

**Risks and Mitigations:**
- **GitHub API rate limiting affecting repository creation operations**
- Mitigation: Request optimization and caching per case risk assessment, GitHub App optimization for higher rate limits, user communication about temporary delays
- **JWT token compromise enabling unauthorized project access**
- Mitigation: Short token expiration periods, secure token storage practices, session invalidation capabilities, comprehensive security monitoring
- **Project isolation failures allowing cross-user data access**
- Mitigation: Database-level access controls, comprehensive authorization testing, audit logging for access patterns, regular security reviews

**Failure Recovery:**
Session recovery mechanisms for expired tokens, GitHub API fallback strategies for service interruptions, manual repository creation procedures for critical failures

### Option 2: Custom Authentication + Database Sessions + Manual GitHub Integration

**Rejected because:**
Custom authentication creates registration friction conflicting with seamless developer experience goals, database sessions create scalability limitations for 10,000+ projects requirement, manual GitHub integration prevents automated repository creation with proper permissions, increased development complexity conflicts with MVP timeline constraints, maintenance overhead for custom authentication system

**Rejected despite:**
Full control over authentication flow and user experience, no external service dependencies reducing failure points, custom session management enabling specialized features, manual integration allowing fine-tuned repository permissions

### Option 3: Third-party Auth + API Keys + Direct GitHub API

**Rejected because:**
Third-party authentication adds external dependencies increasing complexity, API key management creates security risks and user experience friction, direct GitHub API integration lacks rate limiting optimizations available through GitHub Apps, additional service costs and operational overhead

**Rejected despite:**
Multiple authentication provider options increasing user choice, API keys provide simple integration patterns, direct API access offers maximum flexibility, third-party services handle authentication complexity and security

## Implementation Notes

**Authentication Flow Architecture:**
GitHub OAuth integration using standard authorization code flow for secure token exchange. JWT token structure includes user identification project ownership claims and session metadata. Token refresh mechanisms maintain session continuity without user interruption. Session validation middleware protects all authenticated endpoints.

**Project Ownership Model:**
Database schema enforces project ownership through user foreign key relationships. Authorization middleware validates project access on all operations. Project listing endpoints filter results by authenticated user ownership. Sharing mechanisms controlled through explicit permission grants when needed.

**GitHub App Integration:**
GitHub App registration provides elevated API access with higher rate limits. Repository creation automation through GitHub App API with template application. Webhook integration for repository events and synchronization. Permission management ensuring users receive appropriate repository access levels.

**Security Implementation:**
JWT signing with secure keys and appropriate expiration policies. HTTPS enforcement for all authentication endpoints and token transmission. Cross-site request forgery protection for authentication flows. Session invalidation capabilities for security incidents.

**Data Isolation Enforcement:**
Database queries include user context filtering preventing cross-user data access. API endpoints validate user ownership before performing operations. Audit logging tracks user access patterns and project operations. Regular security testing validates isolation effectiveness.

*For detailed implementation code examples and configuration details, see Scaffolding Service Architecture*

## Confirmation

**Acceptance Criteria:**
GitHub OAuth authentication integrates seamlessly with developer workflows, project ownership isolation prevents cross-user data access under all testing scenarios, repository creation succeeds >99% of attempts per case requirement, JWT session management supports 10,000+ concurrent users without performance degradation, GitHub App integration provides automated repository creation with correct permissions per case acceptance criteria

**Testing Approach:**
Authentication flow testing across different GitHub account types and permission levels, project isolation testing with simulated cross-user access attempts, repository creation testing under various GitHub API conditions, session management load testing with concurrent authentication requests, security penetration testing for authorization bypass attempts

## Advice

- If I'm a user and generating in some project using the Scaffolding Service - what if someone download with same link? (Sviatoslav Alekseev, 2025-08-06)
- What if we start with GitHub credentials? If we going to store some user information in the future, we also need to consider the security part of the browser application. For example GitHub App token for identification (Sviatoslav Alekseev, 2025-08-06)
- Need to perform verification that user auth from given account (Sviatoslav Alekseev, 2025-08-06)

## References

1. GitHub OAuth + JWT + Project Isolation + GitHub App (SELECTED)
2. Custom Authentication + Database Sessions + Manual GitHub Integration
3. Third-party Auth + API Keys + Direct GitHub API

- [GitHub OAuth Documentation](https://docs.github.com/en/apps/oauth-apps/building-oauth-apps)
- [GitHub Apps API Reference](https://docs.github.com/en/apps)
- [JWT Security Best Practices](https://www.ietf.org/archive/id/draft-sheffer-oauth-rfc8725bis-00.html)

## ADR Relationships

### Related ADRs

- ADR #0017: Scaffolding Service Core Runtime and Database Architecture - Uses SQLite for user session and project ownership data
- ADR #0018: Scaffolding Service API Framework and Request Processing - Integrates authentication middleware with API endpoints
- ADR #0020: Scaffolding Service Frontend Application Architecture - Implements OAuth flows and authenticated user interfaces