WebsiteLifePass AppLifePass StudioAvailability tracking

Securities

Overview

Security is a core design principle across both the LifePass App and LifePass Studio platforms. Our APIs are protected through multiple layers to ensure that only authorized users and services can access sensitive resources, including smart assets, personal data, and administrative endpoints.

APIs

To access the application endpoints, users must authenticate via a session-based system. Upon login, each user receives a pair of tokens:

  1. Access Token

    • Lifespan: 15 minutes

    • Purpose: Limits the exposure time of a token. Short lifespans reduce the risk of token theft and impersonation. Users regularly renew their tokens, which proves ongoing authenticity.

  2. Refresh Token

    • Lifespan: 3 days

    • Purpose: Automatically regenerates the access token every 15 minutes. Each regeneration also refreshes the refresh token itself. If the refresh token expires without renewal (i.e., no activity for over 3 days), the user is logged out and must generate a new token pair.

The combination of short-lived access tokens with refresh tokens ensures a secure and continuous authentication flow, minimizing the impact of any potential credential compromise.

Advanced Anti-Bot Protection

To protect against automated attacks, spam, and brute-force attempts, we implement a custom Anti-Bot Guard at the middleware level in our backend (NestJS). This system monitors requests in real time and applies multi-dimensional security checks:

  • IP-based limits: restricts the number of requests per IP per hour.

  • Email & phone limits: prevents rapid attempts with the same credentials.

  • Request fingerprinting: combines headers such as user-agent, language, and connection info to generate a unique client fingerprint. Limits are applied per fingerprint.

  • Progressive blocking: repeated violations trigger increasing temporary blocks, escalating from 30 minutes to 24 hours.

  • Mass attack detection: if an unusually high volume of requests is detected within a short time frame (e.g., >500 in 1 hour), the service can temporarily suspend all new attempts.

This multi-layered approach ensures that even legitimate users are minimally impacted while automated attacks are neutralized before reaching critical endpoints.

CORS Protection

All frontend calls are protected via CORS policies, preventing unauthorized interfaces from interacting with our APIs. This ensures that only legitimate clients can consume our endpoints.

User Authentication System

We use a passwordless authentication system to reduce the risk of stolen credentials while improving user experience:

  1. The user enters their email address or phone number.

  2. A one-time password (OTP) is sent via email or SMS.

  3. The user submits the OTP to verify email/phone number ownership.

This approach reduces the attack surface for credential theft while maintaining a seamless login experience.

Environment Configuration

Security-related configurations are managed via environment variables (.env), ensuring sensitive keys, token lifespans, and rate-limiting thresholds are not hardcoded, further strengthening operational security.

PreviousMiddlewareNextBlockchain

Last updated