BeepZone/backend/seckelapi/config/security.toml

# prepare for evil ass autism configs!
[security]
# Yk what this is, if not read the fkn readme
whitelisted_pin_ips = ["192.168.1.0/24", "127.0.0.1"]
whitelisted_string_ips = ["192.168.5.0/24", "127.0.0.1"]

# session stuffs
session_timeout_minutes = 60  # def session timeout (makes session key go bye bye)
refresh_session_on_activity = true  # most useless thing ever most likely as nobody will ever disable this but sure you can just kill a users session during active use right?
max_concurrent_sessions = 3  # how many gooning session to allow per user (you can set custom ones per powerlevel btw)
session_cleanup_interval_minutes = 5  # how often to actually check on the session timeout, we aint gotta spam it none stop tbh

# PIN and Token Auth
hash_pins = false  # weather or not to use bcrypt for pin field (left off for dev work)
hash_tokens = false  # Same as above
pin_column = "pin_code"
token_column = "login_string"

# Rate Limiting, need i say more?
enable_rate_limiting = true  # Do yuo wahnt raten limitierung or not?

# If i have to explain these to you just dont use this software
auth_rate_limit_per_minute = 10000
auth_rate_limit_per_second = 50000

# api rape limitz
api_rate_limit_per_minute = 100000
api_rate_limit_per_second = 100000

# default query limits to avoid someone spamming quieries on a table with 271k rows
default_max_limit = 10000
default_max_where_conditions = 1000

# own user preferences level
# Determines what an user can do with their own little preference store
# - "read-own-only": kiosk ah ruling
# - "read-write-own": what you probably want for most users
# - "read-write-all": adminier maybe ?
default_user_settings_access = "read-write-own"

# define what tables exist
# known tables for wildcard permissions (*:rw) and to prevent SQL injection via table names cuz thats a thing
known_tables = [
    "users", "roles", "assets", "categories", "zones",
    "suppliers", "templates", "audit_tasks", "borrowers", 
    "lending_history", "audit_history", "maintenance_log",
    "asset_change_log", "issue_tracker", "issue_tracker_change_log",
    "physical_audits", "physical_audit_logs",
    "label_templates", "printer_settings", "print_history"
]

# tables you cant write or change using proxi in any way not even user overrides below
read_only_tables = ["asset_change_log", "issue_tracker_change_log", "print_history"]

# column names banned from being written to by default (this is however overwritable on a per table per column per user type schizo settings below)
global_write_protected_columns = [
    "id",
    "created_date",
    "created_at",
    "last_modified_date",
    "updated_at",
    "last_modified_at",
]

# note to myself how the rbac system kinda works
# Format: role_power contains both basic table rules and advanced column rules
# Basic rules: "table:permission" (r = read, w = write, rw = read+write, * = all tables (for like admins or smth))
# Advanced rules: "table.column:permission" for more granular column level control
# Column permissions: r = read, w = write, rw = read+write, block = blocked (obviously)
# Use "table.*:block" to block all columns, then "table.specific_column:r" to allow specific ones
# Use "table.*:r" to allow all columns, then "table.sensitive_column:block" to block specific ones

# In the future even more advaned rules called schizo_rules will be implemented where you can define sql logic based rules
# like "only allow access to rows where user_id = current_user_id" or "only allow access to assets where status != 'Stolen'"

# i let an llm comment on the crap below so i can understand what ive done in like 3 months when i forget everything

[permissions]

[permissions."100"]
# Admin - full access to everything
basic_rules = [
    "*:rw",  # Example of wildcard full access to all known tables
    "asset_change_log:r",  # More or less redundant but whatever
    "issue_tracker_change_log:r"  # Same as above
]
advanced_rules = [
    # Further granularity wow!
    "assets.asset_numeric_id:r",
    "assets.created_by:r",
    "assets.last_modified_by:r",
    "users.password_hash:block",
]
max_limit = 500
max_where_conditions = 50
session_timeout_minutes = 120  # Admins get longer sessions (2 hours)
max_concurrent_sessions = 5  # Admins can have more concurrent sessions
rollback_on_error = true  # Rollback batch operations on any error
allow_batch_operations = true  # Admins can use batch operations
user_settings_access = "read-write-all"  # Admins can modify any user's preferences

[permissions."75"]
# Manager - full asset management, limited user access
rollback_on_error = true  # Rollback batch operations on any error
allow_batch_operations = true  # Managers can use batch operations
basic_rules = [
    "assets:rw",
    "lending_history:rw", 
    "audit_history:rw",
    "maintenance_log:rw",
    "borrowers:rw",
    "categories:rw",
    "zones:rw",
    "suppliers:rw",
    "templates:rw",
    "audit_tasks:rw",
    "issue_tracker:rw",
    "physical_audits:rw",
    "physical_audit_logs:rw",
    "label_templates:rw",
    "printer_settings:rw",
    "print_history:r",
    "users:r",  # Basic read access, then restricted by advanced rules below
    "roles:r",
    "asset_change_log:r",
    "issue_tracker_change_log:r"
]
advanced_rules = [
    # Table-specific protected (same as admin)
    "assets.asset_numeric_id:r",
    "assets.created_by:r",
    "assets.last_modified_by:r",
    # Users table - can read most info but not sensitive auth data
    "users.password:block",
    "users.password_hash:block",
    "users.pin_code:block", 
    "users.login_string:block",
    "users.password_reset_token:block",
    "users.password_reset_expiry:block",
]
# Query limits (moderate for managers)
max_limit = 200
max_where_conditions = 20
user_settings_access = "read-write-own"  # Managers can only modify their own preferences

[permissions."50"]
# Staff - asset and lending management, NO user access
rollback_on_error = false  # Don't rollback batch operations on error (continue processing)
allow_batch_operations = true  # Staff can use batch operations
basic_rules = [
    "assets:rw",
    "lending_history:rw",
    "audit_history:rw",
    "maintenance_log:rw",
    "borrowers:rw",
    "categories:r",
    "zones:r",
    "suppliers:r",
    "templates:r",
    "audit_tasks:r",
    "issue_tracker:r",
    "physical_audits:r",
    "physical_audit_logs:r",
    "label_templates:r",
    "printer_settings:r",
    "print_history:r",
    "asset_change_log:r",
    "issue_tracker_change_log:r"
]
advanced_rules = [
    # Table-specific protected (same as admin/manager)
    "assets.asset_numeric_id:r",
    "assets.created_by:r",
    "assets.last_modified_by:r",
]
# No users table access for staff - security requirement
# Query limits (standard for staff)
max_limit = 100
max_where_conditions = 10
user_settings_access = "read-write-own"  # Staff can only modify their own preferences

[permissions."25"]
# Student - read-only access, no financial data, no user access, no change logs
rollback_on_error = true  # Rollback batch operations on any error
allow_batch_operations = false  # Students cannot use batch operations
basic_rules = [
    "assets:r",
    "lending_history:r",
    "borrowers:r",
    "categories:r",
    "zones:r"
]
advanced_rules = [
    # Assets table - hide financial and sensitive info
    "assets.price:block",
    "assets.purchase_date:block",
    "assets.supplier_id:block",
    "assets.warranty_expiry:block",
    # Borrowers table - hide personal contact info
    "borrowers.email:block",
    "borrowers.phone_number:block",
    "borrowers.notes:block"
]

# Query limits (restricted for students)
max_limit = 50
max_where_conditions = 5
user_settings_access = "read-own-only"  # Students can only read their own preferences, not modify