Threat model
This document describes Rediflow's threat model: what we protect, who might attack, and how we mitigate risks.
Assets
| Asset | Sensitivity | Impact if compromised |
|---|---|---|
| Project data | High | Budgets, timelines, role demand, deliverables exposed |
| Person data | Medium–High | Names, assignments, capacity, org membership exposed |
| Org structure | Medium | Hierarchy, ownership, financial context exposed |
| Audit logs | High | Tampering or deletion undermines accountability |
| Sessions / OIDC tokens | High | Account takeover, impersonation |
Trust boundaries
- Browser — Untrusted. User may be malicious or compromised. Same-origin policy and CSP limit script injection.
- Rediflow app — Trusted. Policy layer enforces roles; optional RLS enforces DB-level isolation.
- PostgreSQL — Trusted. RLS policies apply when enabled.
- Authentik / OIDC — Trusted IdP. Identity and groups are assumed correct.
Attacker profiles
| Attacker | Motivation | Capability |
|---|---|---|
| External | Data theft, disruption | Limited if app is internal-only; higher if internet-facing |
| Internal malicious user | Access other orgs/projects, alter data | Authenticated; relies on policy/RLS and IDOR prevention |
| Compromised dependency | Supply chain | Mitigated by pip-audit, npm audit, lockfiles |
| Privileged insider | Bypass controls | Admin/super-admin; limited by audit logging |
Main threats
Broken access control (OWASP A01)
Risk: User A accesses User B's project by guessing UUIDs (IDOR).
Mitigation: Policy layer, project visibility, optional RLS.
Residual risk: Policy bugs, misconfiguration.
Authentication and session failures (OWASP A07)
Risk: Session fixation, token theft, open redirect in OAuth flow.
Mitigation: OIDC, secure cookies, rate limiting, safe redirect validation.
Residual risk: Authentik compromise, misconfigured OIDC.
Injection (OWASP A03)
Risk: SQL injection, XSS, template injection.
Mitigation: Parameterized queries, Jinja2 auto-escape, CSP.
Residual risk: New raw SQL, misuse of |safe in templates.
Cross-tenant data exposure
Risk: Org A sees Org B's projects or people.
Mitigation: PROJECT_VISIBILITY_ENABLED, Authentik groups, RLS.
Residual risk: Group misconfiguration, policy gaps.
Supply chain
Risk: Compromised Python or npm packages.
Mitigation: pip-audit, npm audit, lockfiles, license checks.
Residual risk: New CVEs, typosquatting.
Denial of service
Risk: Brute-force, heavy queries, resource exhaustion.
Mitigation: Rate limiting on login, OAuth callback, share create.
Residual risk: No global rate limit on heavy endpoints.
Deployment context
- Internal / on-prem: External attackers are less likely; focus on insiders and misconfiguration.
- Internet-facing: External attackers become relevant; TLS, HSTS, and hardening matter more.
- No OIDC (
POLICY_NO_AUTH_DEFAULT=allow_all): Anyone with network access can act as admin. Use only for dev or demo.
Out of scope
- Advanced persistent threats (APTs)
- Physical access to servers
- Authentik compromise (assumed trusted IdP)
- Zero-day exploits in PostgreSQL or Python runtime