Data Stores (In Scope)
| Store | Technology | Purpose | Access Control |
|---|
| Supabase (Auth + Postgres) | Hosted PostgreSQL/Auth | User identity, sessions, OAuth connection records | Row-Level Security (RLS), service-role controls, TLS in transit |
| Browser Session Context | httpOnly auth cookies/session state | Session continuity for authenticated web requests | Cookie/session controls via auth platform; HTTPS transport |
Data Categories (Web Auth)
1. Authentication Credentials
Classification: Critical
| Attribute | Detail |
|---|
| Data types | OAuth access/refresh tokens (Google), Supabase JWT access/refresh tokens, server-side auth secrets |
| Storage | Supabase connection/auth tables and server-side environment variables |
| Encryption | OAuth tokens encrypted at rest (AES-256-GCM) and TLS in transit |
| Access | RLS per-user access; service role restricted to trusted server-side contexts |
| Retention | Until disconnect, account deletion, or token rotation/expiry |
2. Identity and Profile Data
Classification: Sensitive
| Attribute | Detail |
|---|
| Data types | Name, email address, phone verification state, timezone, profile metadata needed by web auth/account settings |
| Storage | Supabase profiles and auth-linked identity records |
| Encryption | TLS in transit; platform-managed encryption at rest |
| Access | RLS ownership enforcement for user-scoped access |
| Retention | Until account deletion or user-initiated profile removal |
Classification: Sensitive
| Attribute | Detail |
|---|
| Data types | Provider account identifiers, granted scopes, token expiry metadata, connection state |
| Storage | Supabase provider connection tables |
| Encryption | TLS in transit; sensitive token fields encrypted at rest |
| Access | RLS per-user; server-side access only for token refresh/exchange logic |
| Retention | Until user disconnects provider or deletes account |
Classification: Internal
| Attribute | Detail |
|---|
| Data types | Auth request outcomes, rate-limit outcomes, security event metadata (without credentials) |
| Storage | Auth provider/web operational logs |
| Encryption | TLS in transit to logging/monitoring systems |
| Access | Restricted operational/admin access |
| Retention | Per platform and operational retention policy |
Protection Level Summary
| Level | Examples | Baseline Protection Requirements |
|---|
| Critical | OAuth tokens, session tokens, auth secrets | Strong encryption at rest and in transit, strict least-privilege access, non-logging of secrets, rotation controls |
| Sensitive | Identity/profile data, OAuth connection metadata | RLS ownership checks, TLS transport, minimized exposure, retention controls |
| Internal | Auth operational metadata | Restricted access, no credential content, controlled retention |
Control Mapping (Web Auth)
| Control Area | Web Auth Requirement |
|---|
| Encryption at Rest | OAuth token fields encrypted using AES-256-GCM in persistence layer |
| Encryption in Transit | TLS required for browser-to-web, web-to-supabase, and web-to-provider communication |
| Access Control | RLS ownership model for user-scoped data; service role limited to server-side trusted paths |
| Secret Handling | Secrets and keys held in environment variables; never exposed client-side |
| Retention/Lifecycle | Tokens and provider links retained only while active; removed on disconnect/deletion |
| Abuse Protection | Rate-limiting and anti-automation controls on auth-sensitive endpoints |
