Authentication layers
| Layer | Mechanism | Purpose |
|---|---|---|
| Dashboard | Clerk JWT (middleware) | User identity |
| Admin panel | Role check in DB | Authorization |
| Control plane API | API keys (hashed, Bearer header) | Programmatic access |
| VPS agent API | Bearer token (constant-time comparison) | Internal communication |
| Database connections | PgBouncer userlist (per-database credentials) | Tenant isolation |
Credential management
- Database passwords: Generated with
secrets.token_urlsafe(32)(256 bits of entropy) - API keys: Hashed with SHA-256 before storage. Only the prefix is stored in plaintext.
- Agent API key: Shared secret between Vercel and VPS, stored as env vars on both sides
- Postgres superuser password: Only on the VPS, never transmitted to Vercel
SQL injection prevention
- Agent (Python): Uses
psycopg.sql.Identifierandsql.Literalfor all DDL statements. No string interpolation. - Control plane (TypeScript): Drizzle ORM generates parameterized queries. No raw SQL.
Command injection prevention
Backup operations useasyncio.create_subprocess_exec() which accepts an argument list rather than a shell string. Database names are validated against ^[a-z][a-z0-9_]{0,62}$ before use in any filesystem or subprocess operation.
Path traversal prevention
- Database names validated with strict regex before constructing file paths
- Backup directory paths are resolved with
Path.resolve()and checked against the base directory
Process isolation
The agent systemd service runs as theubuntu user, listens only on localhost (127.0.0.1:8420), and auto-restarts on failure. Caddy handles TLS termination and public access on port 443.
Network security
- PostgreSQL listens on localhost only (port 5432)
- Agent listens on localhost only (port 8420), behind Caddy reverse proxy
- PgBouncer is the only public database port (6432)
- Caddy provides auto-TLS via Let’s Encrypt for the agent API
- All control plane to VPS communication is HTTPS
Recommendations
- Restrict PgBouncer port (6432) to known IP ranges in the Lightsail firewall
- Rotate the VPS agent API key periodically
- Enable Clerk MFA for admin accounts
- Monitor the audit log for suspicious activity