committing to insanityHEADmaster

1 files changed, 210 insertions, 0 deletions

diff --git a/config/security.toml b/config/security.toml
new file mode 100644
index 0000000..1b87c5b
--- /dev/null
+++ b/config/security.toml
@@ -0,0 +1,210 @@
+# prepare for evil ass autism configs!
+[security]
+# Yk what this is, if not read the fkn readme
+whitelisted_pin_ips = ["192.168.1.0/24", "127.0.0.1"]
+whitelisted_string_ips = ["192.168.5.0/24", "127.0.0.1"]
+
+# session stuffs
+session_timeout_minutes = 60  # def session timeout (makes session key go bye bye)
+refresh_session_on_activity = true  # most useless thing ever most likely as nobody will ever disable this but sure you can just kill a users session during active use right?
+max_concurrent_sessions = 3  # how many gooning session to allow per user (you can set custom ones per powerlevel btw)
+session_cleanup_interval_minutes = 5  # how often to actually check on the session timeout, we aint gotta spam it none stop tbh
+
+# PIN and Token Auth
+hash_pins = false  # weather or not to use bcrypt for pin field (left off for dev work)
+hash_tokens = false  # Same as above
+pin_column = "pin_code"
+token_column = "login_string"
+
+# Rate Limiting, need i say more?
+enable_rate_limiting = true  # Do yuo wahnt raten limitierung or not?
+
+# If i have to explain these to you just dont use this software
+auth_rate_limit_per_minute = 10000
+auth_rate_limit_per_second = 50000
+
+# api rape limitz
+api_rate_limit_per_minute = 100000
+api_rate_limit_per_second = 100000
+
+# default query limits to avoid someone spamming quieries on a table with 271k rows
+default_max_limit = 10000
+default_max_where_conditions = 1000
+
+# own user preferences level
+# Determines what an user can do with their own little preference store
+# - "read-own-only": kiosk ah ruling
+# - "read-write-own": what you probably want for most users
+# - "read-write-all": adminier maybe ?
+default_user_settings_access = "read-write-own"
+
+# define what tables exist
+# known tables for wildcard permissions (*:rw) and to prevent SQL injection via table names cuz thats a thing
+known_tables = [
+    "users", "roles", "assets", "categories", "zones",
+    "suppliers", "templates", "audit_tasks", "borrowers", 
+    "lending_history", "audit_history", "maintenance_log",
+    "asset_change_log", "issue_tracker", "issue_tracker_change_log",
+    "physical_audits", "physical_audit_logs",
+    "label_templates", "printer_settings", "print_history"
+]
+
+# tables you cant write or change using proxi in any way not even user overrides below
+read_only_tables = ["asset_change_log", "issue_tracker_change_log", "print_history"]
+
+# column names banned from being written to by default (this is however overwritable on a per table per column per user type schizo settings below)
+global_write_protected_columns = [
+    "id",
+    "created_date",
+    "created_at",
+    "last_modified_date",
+    "updated_at",
+    "last_modified_at",
+]
+
+# note to myself how the rbac system kinda works
+# Format: role_power contains both basic table rules and advanced column rules
+# Basic rules: "table:permission" (r = read, w = write, rw = read+write, * = all tables (for like admins or smth))
+# Advanced rules: "table.column:permission" for more granular column level control
+# Column permissions: r = read, w = write, rw = read+write, block = blocked (obviously)
+# Use "table.*:block" to block all columns, then "table.specific_column:r" to allow specific ones
+# Use "table.*:r" to allow all columns, then "table.sensitive_column:block" to block specific ones
+
+# In the future even more advaned rules called schizo_rules will be implemented where you can define sql logic based rules
+# like "only allow access to rows where user_id = current_user_id" or "only allow access to assets where status != 'Stolen'"
+
+# i let an llm comment on the crap below so i can understand what ive done in like 3 months when i forget everything
+
+[permissions]
+
+[permissions."100"]
+# Admin - full access to everything
+basic_rules = [
+    "*:rw",  # Example of wildcard full access to all known tables
+    "asset_change_log:r",  # More or less redundant but whatever
+    "issue_tracker_change_log:r"  # Same as above
+]
+advanced_rules = [
+    # Further granularity wow!
+    "assets.asset_numeric_id:r",
+    "assets.created_by:r",
+    "assets.last_modified_by:r",
+    "users.password_hash:block",
+]
+max_limit = 500
+max_where_conditions = 50
+session_timeout_minutes = 120  # Admins get longer sessions (2 hours)
+max_concurrent_sessions = 5  # Admins can have more concurrent sessions
+rollback_on_error = true  # Rollback batch operations on any error
+allow_batch_operations = true  # Admins can use batch operations
+user_settings_access = "read-write-all"  # Admins can modify any user's preferences
+
+[permissions."75"]
+# Manager - full asset management, limited user access
+rollback_on_error = true  # Rollback batch operations on any error
+allow_batch_operations = true  # Managers can use batch operations
+basic_rules = [
+    "assets:rw",
+    "lending_history:rw", 
+    "audit_history:rw",
+    "maintenance_log:rw",
+    "borrowers:rw",
+    "categories:rw",
+    "zones:rw",
+    "suppliers:rw",
+    "templates:rw",
+    "audit_tasks:rw",
+    "issue_tracker:rw",
+    "physical_audits:rw",
+    "physical_audit_logs:rw",
+    "label_templates:rw",
+    "printer_settings:rw",
+    "print_history:r",
+    "users:r",  # Basic read access, then restricted by advanced rules below
+    "roles:r",
+    "asset_change_log:r",
+    "issue_tracker_change_log:r"
+]
+advanced_rules = [
+    # Table-specific protected (same as admin)
+    "assets.asset_numeric_id:r",
+    "assets.created_by:r",
+    "assets.last_modified_by:r",
+    # Users table - can read most info but not sensitive auth data
+    "users.password:block",
+    "users.password_hash:block",
+    "users.pin_code:block", 
+    "users.login_string:block",
+    "users.password_reset_token:block",
+    "users.password_reset_expiry:block",
+]
+# Query limits (moderate for managers)
+max_limit = 200
+max_where_conditions = 20
+user_settings_access = "read-write-own"  # Managers can only modify their own preferences
+
+[permissions."50"]
+# Staff - asset and lending management, NO user access
+rollback_on_error = false  # Don't rollback batch operations on error (continue processing)
+allow_batch_operations = true  # Staff can use batch operations
+basic_rules = [
+    "assets:rw",
+    "lending_history:rw",
+    "audit_history:rw",
+    "maintenance_log:rw",
+    "borrowers:rw",
+    "categories:r",
+    "zones:r",
+    "suppliers:r",
+    "templates:r",
+    "audit_tasks:r",
+    "issue_tracker:r",
+    "physical_audits:r",
+    "physical_audit_logs:r",
+    "label_templates:r",
+    "printer_settings:r",
+    "print_history:r",
+    "asset_change_log:r",
+    "issue_tracker_change_log:r"
+]
+advanced_rules = [
+    # Table-specific protected (same as admin/manager)
+    "assets.asset_numeric_id:r",
+    "assets.created_by:r",
+    "assets.last_modified_by:r",
+]
+# No users table access for staff - security requirement
+# Query limits (standard for staff)
+max_limit = 100
+max_where_conditions = 10
+user_settings_access = "read-write-own"  # Staff can only modify their own preferences
+
+[permissions."25"]
+# Student - read-only access, no financial data, no user access, no change logs
+rollback_on_error = true  # Rollback batch operations on any error
+allow_batch_operations = false  # Students cannot use batch operations
+basic_rules = [
+    "assets:r",
+    "lending_history:r",
+    "borrowers:r",
+    "categories:r",
+    "zones:r"
+]
+advanced_rules = [
+    # Assets table - hide financial and sensitive info
+    "assets.price:block",
+    "assets.purchase_date:block",
+    "assets.supplier_id:block",
+    "assets.warranty_expiry:block",
+    # Borrowers table - hide personal contact info
+    "borrowers.email:block",
+    "borrowers.phone_number:block",
+    "borrowers.notes:block"
+]
+
+# Query limits
+max_limit = 50
+max_where_conditions = 5
+user_settings_access = "read-own-only"  # Students can only read their own preferences, not modify
+
+