Banking Software Authentication Strategy
🏦 Critical Security Guidelines for RISWIS Banking System
Middleware Selection Matrix
Critical Banking Operations
isAuthenticated
✅ Real-time
User management, transactions, account operations
MAXIMUM
High-Frequency API Calls
verifyToken
❌ Token only
System health, notifications, dashboard stats
STANDARD
Public/Optional Access
optionalAuthenticate
✅ If token present
Public endpoints, optional features
MINIMAL
🚨 CRITICAL: When to Use isAuthenticated
isAuthenticatedALWAYS use isAuthenticated for:
User management operations (
/users/*)Financial transactions (
/transactions/*)Account operations (
/accounts/*)Money transfers (
/money-transfer/*)Loan operations (
/loans/*)Audit operations (
/audit/*)System settings (
/system-settings/*)Branch management (
/branches/*)
Why: These operations require real-time user status validation to prevent:
Deactivated users from accessing banking functions
Deleted accounts from performing transactions
Compromised accounts from unauthorized access
⚡ Performance: When to Use verifyToken
verifyTokenUse verifyToken for:
Dashboard statistics (
/dashboard/stats)System health checks (
/health)Non-critical notifications (
/notifications)Branding/UI settings (
/branding)SMS analytics (
/sms-analytics)
Why: These operations prioritize performance over real-time user validation.
🔧 Implementation Examples
✅ CORRECT - Critical Banking Route
// backend/src/routes/user.routes.ts
import { isAuthenticated, adminAndManagerOnly } from '../middleware/auth.middleware'
router.use(isAuthenticated as RequestHandler) // Database validation
router.get('/', adminAndManagerOnly, userController.getAllUsers)❌ INCORRECT - Security Risk
// DON'T DO THIS for banking operations
import { verifyToken } from '../middleware/auth.middleware'
router.use(verifyToken as RequestHandler) // No database validation!
router.get('/users', userController.getAllUsers) // SECURITY RISK!🔄 Token Refresh Strategy
Frontend Retry Logic
const makeApiCall = async (retryCount = 0): Promise<ApiResponse<T>> => {
const response = await apiClient.get(endpoint, options);
// Handle token refresh response
if (!response.success &&
response.message === 'Token refreshed, please retry request' &&
retryCount < 2) {
console.log('Token was refreshed, retrying request...');
await new Promise(resolve => setTimeout(resolve, 500));
return makeApiCall(retryCount + 1);
}
return response;
};Backend Token Validation
// isAuthenticated middleware flow:
// 1. Extract token from header/cookie
// 2. Verify JWT signature and expiration
// 3. Query database for user existence
// 4. Validate user.isActive status
// 5. Attach complete user object to request📊 Performance vs Security Trade-offs
Aspect
isAuthenticated
verifyToken
Database Queries
1 per request
0 per request
Response Time
~50-100ms slower
Faster
Security Level
Maximum
Standard
Real-time Validation
✅ Current status
❌ Token-time status
Banking Compliance
✅ Recommended
⚠️ Limited use
🛡️ Security Best Practices
1. Route Protection Hierarchy
// Level 1: Critical Banking Operations
router.use(isAuthenticated)
router.use(adminAndManagerOnly)
// Level 2: Standard Operations
router.use(verifyToken)
router.use(authorize([Role.TELLER, Role.MANAGER]))
// Level 3: Optional Access
router.use(optionalAuthenticate)2. Error Handling
// Proper error responses for banking
if (!user.isActive) {
return res.status(403).json({
success: false,
message: 'Your account has been deactivated',
code: 'ACCOUNT_DEACTIVATED'
});
}3. Audit Logging
// Log all authentication events
logger.info(`User authenticated: ${user.id}, Role: ${user.role}, Path: ${req.path}`);🔍 Monitoring & Alerts
Critical Metrics to Track:
Failed authentication attempts
Token refresh frequency
Database query performance for
isAuthenticatedInactive user access attempts
Alert Thresholds:
HIGH: >10 failed auth attempts per minute
CRITICAL: Inactive user attempting banking operations
WARNING: Token refresh rate >50% of requests
🚀 Performance Optimization
For High-Traffic Endpoints:
Cache user status for non-critical operations
Use Redis for session management
Implement rate limiting on token refresh
Monitor database connection pool for auth queries
Database Optimization:
-- Ensure proper indexing for auth queries
CREATE INDEX idx_user_id_active ON users(id, isActive);
CREATE INDEX idx_user_email_active ON users(email, isActive);📋 Migration Checklist
🎯 Immediate Actions Required
Fix token refresh loop in frontend (✅ COMPLETED)
Replace verifyToken with isAuthenticated for
/usersroute (✅ COMPLETED)Audit all other critical routes for proper middleware usage
Implement comprehensive error handling for token refresh scenarios
Add monitoring for authentication failures and performance
Remember: In banking software, security always takes precedence over performance. When in doubt, use isAuthenticated for real-time user validation.
Last updated