Security & Access Control

Secret Management

We strictly separate sensitive credentials from the code and image metadata.

Docker BuildKit Secrets

To prevent sensitive tokens (like GH_TOKEN) from leaking into Docker image layers, we use BuildKit Secrets.

1. Dockerfile: Use the --mount=type=secret flag.

   RUN --mount=type=secret,id=GH_TOKEN \
       (echo "@rabestro:registry=https://npm.pkg.github.com" && \
        if [ -s /run/secrets/GH_TOKEN ]; then \
          printf "//npm.pkg.github.com/:_authToken=%s\n" "$(cat /run/secrets/GH_TOKEN)"; \
        fi) > .npmrc && \
       npm install && \
       rm -f .npmrc

2. CI/CD: Pass the secret via the docker/build-push-action.

   - name: Build and push Docker image
     uses: docker/build-push-action@v7
     with:
       secrets: |
         "GH_TOKEN=${{ secrets.GITHUB_TOKEN }}"

Danger

Never use ARG or ENV for sensitive tokens in a Dockerfile, as they are persisted in the image history.

---

Authentication Bypass (Local Development)

For rapid local iteration, we provide a Mock Auth mode that bypasses Google OAuth2.

• Backend: Set MOCK_AUTH=true in backend-api/.env.
• Frontend: Set VITE_MOCK_AUTH=true in frontend-pwa/.env.local.

When active, the system automatically logs you in as a default “Local Admin” user. This mode is also used by Playwright for E2E testing to ensure repeatable, network-independent test runs.

---

User Lifecycle & Approvals

The production environment operates as a closed beta.

Approval Workflow

1. Sign Up: New users sign up via Google OAuth2.
2. Pending State: By default, new users have is_active = false and cannot access the trainer.
3. Admin Approval: An existing Admin must go to the Admin Dashboard > Users tab and click Approve.

Role Management

• USER: Standard access to trainer and bookmarks.
• ADMIN: Access to the Admin Dashboard (ETL control, User management).

Tip

Admins are protected from self-blocking or self-demotion in the UI to prevent accidental lockout.