Logotipo Hedhog

Get Hedhog updates in your inbox

New releases, fresh recipes, and breaking changes — no spam.

Back to Core modulesWired in CoreModule
security module screenshot

Core Submodule

security

Exposes reusable security primitives consumed by other modules.

Source path: libraries/core/src/security

Module file: security.module.ts

Introduction

The Security submodule is an internal utility module that provides shared cryptographic primitives and security abstractions consumed by other Core submodules. It has no HTTP controller and exposes no public endpoints — it exists entirely as a set of injectable NestJS services that other modules depend on.

Password operations use bcrypt with a configurable cost factor. All password storage and comparison throughout the platform — user creation, password resets, profile password changes — goes through a single PasswordService, ensuring one auditable implementation that can be updated in one place when security requirements change.

JWT signing for access tokens, refresh tokens, MFA pending tokens, and file access tokens all use a centralized token service that manages secret rotation awareness and enforces algorithm selection (RS256 or HS256 depending on deployment configuration). This prevents ad-hoc token creation scattered across individual modules and ensures all tokens are issued and verified consistently.

Short-lived challenge tokens used in email verification, MFA setup flows, and WebAuthn ceremonies are generated and validated here. A challenge token encodes a purpose (email-verify, totp-add, webauthn-register), a payload, an expiry timestamp, and an HMAC signature. The purpose binding prevents a challenge token from being reused across different flows even if the raw value is captured by an attacker.

File access token payloads are encrypted using symmetric encryption from the Security module. The encryption service is consumed by the File submodule's signed URL generation and decryption endpoints, keeping cryptographic implementation details isolated from the File submodule's business logic.

WebAuthn operations — attestation verification during registration and assertion verification during login or MFA — are handled through a WebAuthn service that wraps the ceremony complexity behind a simple interface. All Security services are registered in NestJS's dependency injection container and exported from SecurityModule, so consumers declare a simple constructor injection without accessing cryptographic primitives directly.

HTTP Endpoints

No dedicated controller endpoints found for this submodule.

MCP Tools

No MCP tools mapped for this submodule.