Security
Security architecture including mTLS, HMAC signing, JWT authentication, audit logging, and rate limiting.
Security Layers
CPI implements defense-in-depth with 5 security layers for device communication:
| Layer | Mechanism | Purpose |
|---|---|---|
| 1. Transport | mTLS (port 8883) or TLS (port 8885) | Encrypted communication |
| 2. Identity | X.509 CN (mTLS) or JWT (TOKEN) | Device authentication |
| 3. Authorization | Per-device ACLs (topic-level) | Access control |
| 4. Integrity | HMAC-SHA256 signatures | Message authenticity |
| 5. Freshness | Nonce + timestamp validation | Replay protection |
mTLS Authentication
For high-security deployments, devices connect via mutual TLS on port 8883.
PKI Infrastructure
- Private CA managed in
docker/mosquitto/certs/ca/ - Scripts in
scripts/pki/:init-ca.sh,generate-broker-cert.sh,generate-device-cert.sh - PkiModule in the API uses
node-forgefor cert generation + OpenSSL CLI for CRL
Device Certificate
Each device gets a unique X.509 certificate with:
- Common Name (CN) = device UUID
- Signed by the private CA
- Mosquitto validates CN matches the connecting device ID
Certificate Revocation (CRL)
PkiService.revokeCertificate() generates a CRL via OpenSSL. Mosquitto enforces the CRL via crlfile directive.
Certificate Monitoring
CertMonitorService runs a daily cron job that checks for certificates expiring within 30 days and emits events for notification.
JWT MQTT Authentication (TOKEN)
For partner integrations, devices connect via JWT on port 8885.
- JWT issued by
MqttTokenServiceduring provisioning or token refresh - Token passed as MQTT password, device ID as username
- ACLs embedded in
publ(publishable topics) andsubs(subscribable topics) claims - Separate
MQTT_JWT_SECRETfrom the web APIJWT_SECRET - Default expiry: 1 hour, maximum: 24 hours
See Partner Integration Guide for full details.
HMAC-SHA256 Signatures
Every message (telemetry, status, commands, ACKs) is signed with a per-device HMAC secret.
Secret Management
- DeviceSecretsService manages HMAC secrets
- Secrets encrypted at rest with AES-256-GCM
- Redis-cached for performance
- Nonce tracking prevents replay attacks
Enforcement
- Production:
REQUIRE_HMAC_SIGNATURES=truerejects unsigned messages from non-PENDING devices - Development: can be relaxed for testing
Secret Rotation
POST /api/v1/devices/{deviceId}/rotate-secret- Returns new HMAC secret
- 1-hour grace period accepts both old and new secrets
- Use the grace period to update device firmware
Audit Logging
The AuditModule (global) logs all security events to the security_audit_logs table.
Logged Events
| Event Type | Severity | Example |
|---|---|---|
AUTH_SUCCESS | INFO | Device authenticated successfully |
AUTH_FAILURE | WARNING | Invalid JWT or certificate |
HMAC_FAILURE | WARNING | Message signature mismatch |
DEVICE_SUSPENDED | HIGH | Auto-suspended after rate limit |
CERT_REVOKED | HIGH | Certificate revoked by admin |
SECRET_ROTATED | INFO | HMAC secret rotation initiated |
DEVICE_DECOMMISSIONED | HIGH | Device permanently revoked |
Schema
Each audit log entry contains:
- Event type and severity level
- Device ID and/or user ID
- Timestamp
- JSONB
detailsfield for event-specific data
Rate Limiting
Auth Failure Rate Limiting
| Parameter | Value |
|---|---|
| Window | 5 minutes |
| Max failures | 10 |
| Action | Auto-suspend device |
When a device exceeds the failure threshold, it is automatically suspended and an audit log entry is created. An admin must manually reactivate the device.
Mosquitto Connection Limits
| Parameter | Value |
|---|---|
| Max connections | 500 |
| Max message size | 8 KB |
| Max inflight messages | 20 |
| Max queued messages | 1000 |
Web API Security
Authentication
- JWT stored in httpOnly cookies (
access_token) - Extracted from both
Cookieheader andAuthorization: Bearerheader - Global
JwtAuthGuardon all routes (opt-out with@Public())
Authorization
Role-based access control with three levels:
| Role | Permissions |
|---|---|
| ADMIN | Full access: device provisioning, user management, secret rotation |
| OPERATOR | Device monitoring, command sending, alert management |
| VIEWER | Read-only access to dashboards and telemetry |
CORS
Configured via ADMIN_URL environment variable. Only the admin dashboard origin is allowed.
Device Protocol
MQTT message formats, topic structure, HMAC signing, and protocol specification for CPI device communication.
Partner MQTT Integration Guide
Connect partner IoT devices to CPI using JWT-authenticated MQTT (TOKEN auth method). Covers registration, provisioning, telemetry, commands, and HMAC signing.