Security
General Authentication
The project uses ABAIR's SSO authenticaiton system (auth.abair.ie). If the user already made an account, they can authenticate using the existing account.
Admin Authorization
Admin's are also users in the ABAIR's authentication system (auth.abair.ie), except they must be in the read-only supabase table auth_user_roles.
This table can only be modified by a supabase admin with top priviliges or using the Supabase Service Role Key.
We want to add a permission manager in the backoffice. Not available as of 11/03/2025.
Recordings Security
This data is sentitive and needs to be well protected. In the supabase bucket storage, the recordings are have a three-layer structure.
- First layer: User ID
- Second layer: Story ID
- Third layer: Recording ID
The RLS is setup such that:
- The user can only access recordings in their directory/first layer.
OR
- Any authenticated user who exists in
auth_user_rolesand hasmgnn_adminset to TRUE can access any recroding.
Here is an example of how to enable permission for users with mgnn_admin.
( SELECT true AS bool
FROM auth_user_roles
WHERE ((auth_user_roles.user_id = auth.uid()) AND (auth_user_roles.mgnn_admin = true)))
Stories & Segments Security
- All stories & segments are read-only for all authenticated users.
- All stories & segments can be added, updated, and deleted for all authenticated users who exists in
auth_user_rolesand hhavemgnn_adminset to TRUE.
Other tables
- mgnn_accounts: authenticated users can access their account details
- mgnn_story_completion: authenticated users can access the state of their completed stories
- mgnn_totals: read-only for anyone
- mgnn_rankings: read-only for anyone (updated only through SQL triggers)
Maintenance
The npm repositories need to be updated frequently to minimize security risks. To check for updates run npm audit and make sure there are no critical vulnerabilities present.