Security — Auth, RBAC, Input Validation
anonymous
Persona: anonymous
Touchpoint: /admin/[token] and /api/*
Preconditions
- Test with invalid tokens, injected inputs, and cross-church IDs
Steps
| # | Action | Expected Result |
|---|---|---|
| 1 | Access /admin/[invalid-token] | 401 or redirect to login — not a 500 or data leak |
| 2 | Access /admin/[token-from-different-church] | Blocked — only own church data accessible |
| 3 | POST to /api/admin/kb-proxy with SQL injection in body | Input sanitized — no SQL executed, 400 returned |
| 4 | Submit XSS payload in chatbot message | Payload escaped — not executed in browser |
| 5 | Access /api/admin/* without auth header | 401 returned — no data exposed |
| 6 | Try to read another church's voice_prayer_requests | RLS blocks it — only own church rows returned |
| 7 | Attempt brute-force on magic link endpoint | Rate limiting kicks in after N attempts |
Known Failure Modes
- Token from church A grants access to church B data — RLS bug
- SQL injection succeeds — parameterized queries missing
- XSS executes in chatbot — output not escaped
- API returns 200 with data when unauthenticated
References
- Playwright spec:
e2e/edge-auth-rbac.spec.ts - Code files:
Notes
All admin routes use token-based auth (magic link token in URL). Supabase RLS enforces row-level isolation per church_id. See architecture/protection-audit.md for full security audit.