Security & Access Control
How Jeton protects your data — authentication, sessions, RBAC, and route protection.
Authentication
Session-based Auth
Jeton uses HTTP-only cookie sessions (jeton_session). The cookie is inaccessible to JavaScript, protecting against XSS token theft.
Password Hashing
Passwords are hashed with bcrypt before storage. Plain-text passwords are never written to the database. The original password cannot be recovered — only reset.
Route Guards
Middleware at middleware.ts intercepts requests to protected paths (/app/*, /dashboard, /assets) and redirects unauthenticated users to sign-in. Public paths (like /docs/*) are always accessible.
Role-Based Access Control
Every API endpoint checks the user's role before processing the request. Role checks are server-side — there's no reliance on client-side state to enforce permissions.
// Example server-side role check
const user = await getCurrentUser(req);
if (!user || user.role !== 'admin') {
return NextResponse.json({ error: 'Forbidden' }, { status: 403 });
}
Superadmin Content
Pages containing architecture diagrams, schema details, and system internals are restricted to users with is_superadmin = true. These are server-side checks — the page itself returns a 403 if accessed without the correct flag.
Logout
Signing out destroys the session cookie server-side (via POST /api/auth/logout) and redirects to the landing page. The session cannot be replayed after logout.