Backend for a secure document platform: Microsoft OAuth SSO, multi-strategy auth, SQL Server Dynamic Data Masking, a redacting logging interceptor, and a custom encryption + compression envelope for point-to-point payloads.
Institutional document workflows (oficios, memorandos) carry confidential fields, must survive audit, and need single sign-on against an existing Microsoft tenant. Plaintext fields in logs leak data; a single application user with full DB access defeats database-level confidentiality; a hand-rolled cipher alone isn't a credible security story. Securis layers four independent controls so each one carries its own piece of the model.
Four security layers, designed to compose:
- Microsoft OAuth + JWT.
passport-microsoftauthenticates against the Office 365 tenant; JWT is issued for downstream API calls. Local and JWT strategies are also wired for service accounts. - Custom point-to-point envelope. Payloads in transit are wrapped in a Huffman-coded framing protocol shared with the frontend. Trees are generated by the
huffman:generateCLI and split between a frontend↔backend tree (huffman-back) and a backend↔database tree (huffman-db). - SQL Server Dynamic Data Masking. Two database principals (
app_admin,app_user) are provisioned with different masking access - application traffic flows through the masked principal, administrative paths through the unmasked one. Field-level confidentiality is enforced at the database, not at the application. - Redacting logging interceptor. Sensitive fields are stripped from logs before they leave the request pipeline, so audit retention doesn't undo (1)-(3).
The encryption + compression envelope sits inside this layered model - its role is point-to-point payload obfuscation between frontend and backend, with the integrated confidentiality story carried by MS OAuth + SQL Server DDM + redacting logs.
| Layer | Tech |
|---|---|
| Framework | NestJS 11 |
| Language | TypeScript |
| ORM | Prisma + @prisma/adapter-mssql |
| DB | Microsoft SQL Server (with Dynamic Data Masking) |
| Auth | passport-microsoft (MS OAuth) + JWT + local strategies |
@nestjs-modules/mailer + Nodemailer (password reset, document delivery) |
|
pdfkit + puppeteer + qrcode + pdf-password (electronic signatures) |
|
| Infra | Docker / docker-compose |
- Microsoft OAuth single sign-on (
passport-microsoft), with JWT issuance for downstream calls - Document lifecycle modules (
features/documents) for oficios and memorandos - Electronic signatures with QR codes; PDFs sealed via
pdfkit+pdf-password - Encryption module with Clean Architecture layout (
application/domain/infrastructure/presentation) and ahuffman:generateCLI - SQL Server Dynamic Data Masking enforced at the data layer via two distinct DB principals
- Redacting logging interceptor (audit-safe logs)
- Shared point-to-point envelope protocol with the frontend (
devjaes/securis-web)
pnpm install
cp .env.example .env # MS OAuth keys + MSSQL connection + JWT secret
pnpm huffman:generate # produce huffman-back / huffman-db trees
docker compose up -d # SQL Server + dependencies
pnpm dev # nest start --watchUseful env vars: DB_SERVER, DB_PORT (1433), DB_NAME, separate DB_USER_ADMIN / DB_USER (DDM split), MICROSOFT_CLIENT_ID/SECRET/TENANT_ID, JWT_SECRET, HUFFMAN_TREE_BACK_PATH, HUFFMAN_TREE_DB_PATH.
- University capstone project. Single Microsoft tenant.
- No public demo (institutional auth required).
- Default branch is
develop(active integration).mainis held back for releases.
- My role: Lead Architect - system design, the four-layer security model, MS OAuth + DDM integration, project leadership.
- Contributors: Pablo Martinez (
@SrPabvliss), Daniel Zhu (@Chu2409). - Frontend repo: devjaes/securis-web