Authentication & Authorization

Intrex implements a comprehensive security model with JWT sessions, role-based access control, and database-level tenant isolation.

Authentication Flow

1. Sign In

Email + Password

→

2. Verify

bcrypt compare

→

3. Issue JWT

HS256 signed token

→

4. Set Cookie

HTTP-only, Secure

JWT Session Management

Secure JWT-based sessions with 24-hour expiration. Tokens are signed with HS256 and stored in HTTP-only cookies.

Role-Based Access Control

Three-tier hierarchy: Head Office Admin, Branch Manager, and Operator. Each role has scoped permissions.

Row Level Security

Database-level tenant isolation using PostgreSQL RLS policies. Users can only access their tenant data.

Password Security

Passwords hashed using bcrypt with salt rounds. Secure comparison to prevent timing attacks.

User Roles

Role	Permissions
Head Office Admin	Full access to all branches Manage users and roles Configure connectors View all activity logs Manage billing/subscription
Branch Manager	Manage assigned branch Create/edit obligations View branch activity Acknowledge notifications Upload compliance documents
Operator	View assigned obligations Update obligation status Upload documents View own notifications

Session Management

Sessions are managed using JWT tokens with automatic refresh on each GET request:

// Middleware refreshes sessions automatically
export async function middleware(request: NextRequest) {
  const sessionCookie = request.cookies.get('session');
  
  if (sessionCookie && request.method === 'GET') {
    const parsed = await verifyToken(sessionCookie.value);
    // Refresh session for another 24 hours
    res.cookies.set({
      name: 'session',
      value: await signToken({ ...parsed, expires: newDate }),
      httpOnly: true,
      secure: true,
      sameSite: 'lax',
    });
  }
}

Required Environment Variables

AUTH_SECRET32+ character random string for JWT signing

POSTGRES_URLSupabase PostgreSQL connection string