Security Architecture

Authentication & Authorization

• End‑user auth: optional Google OAuth (client ID/secret via GSM). Enabled automatically when GOOGLE_CLIENT_ID is configured.
• Internal OIDC: /internal/* endpoints require an ID token audience that matches INTERNAL_AUDIENCE.
• RBAC:
  • src/security/enhanced_auth.py and src/security/permissions.py define roles/permissions.
  • Routes gate access via dependencies in src/api/dependencies, enforcing tenant isolation and role checks.

Secrets & Configuration

• Secrets in Secret Manager; backend reads via environment or GSM refs provisioned by Terraform.
• No secrets in VCS; see infra/terraform/variables.tf for existing secret IDs.

Edge and Transport

• HTTPS LB terminates TLS and forwards to Cloud Run.
• Strict security headers set in middleware (HSTS, CSP, XFO, etc.).

Component View

Notes

• Internal requests use SA credentials; Pub/Sub push and Cloud Tasks impersonate the invoker SA.
• SECRET_KEY and WEBHOOK_SECRET control signing and auth for webhook flows.