Granular control, complete audit, encryption at rest.
151 dashboard permissions, RBAC with customizable roles, AuditLog with complete diff, AES-256-GCM in credentials. LGPD ready.
Feature
151
dashboard permissions
AES-256-GCM
sensitive data
TLS 1.3
in transit
LGPD
native export + delete
What is being protected
RBAC with Customizable Roles
4 default roles (Admin, Finance, Operations, View). Create custom roles combining any permission.
- DashboardRole per organization
- DashboardUserToRole many-to-many
- Inheritance via groups
- API for automation
Multi-Method Authentication
NextAuth with Google OAuth (admin), Kobana OAuth (dashboard/portal), magic link (portal), password + optional 2FA.
- Sessions with configurable timeout
- Failed login attempts auto-block
- Recovery codes for 2FA
Encryption at Rest
lib/crypto.ts with AES-256-GCM. Applied to gateway credentials, NFe.io API key, webhook secrets, certificate PFX, portal tokens.
- 32-byte key in environment variable
- Unique IV per encrypt
- Authentication tag verifies integrity
- safeDecrypt for gradual migration
TLS 1.3 in Transit
All communication HTTPS mandatory. HSTS enabled. Optional certificate pinning for SDKs.
- HTTPS mandatory
- HSTS enabled
- Optional certificate pinning
Detailed AuditLog
Every mutation recorded with userEmail, ipAddress, userAgent, action, resourceType, resourceId, previousValues, newValues.
- 200+ tracked action types
- Configurable retention (default 2 years)
- Export to SIEM
- Immutable (append-only)
Internal Events (Event Model)
Additional tracking layer. Each state change generates Event for webhook + replay.
- Persisted per organization
- Filter by type, resource, period
- Retry API
Idempotency in Mutations
Idempotency-Key header accepted in all mutations. Unique column in subscription_item_changes and critical tables.
- Prevents duplication on network retry
- Configurable TTL
- Same key returns same response
2FA (TOTP)
Compatible with Google Authenticator, Authy, Microsoft Authenticator. Optional per user, mandatory per role.
- Recovery codes (10 single-use codes)
- Renewal via dashboard
- Usage notification
LGPD Compliance
DataPurgeService implements the right to be forgotten. ExportService generates complete dump.
- data-purge worker executes scheduled deletion
- Soft delete + anonymization preserving tax history
- Consent record in metadata
- Configurable retention
Signed Webhooks
All webhooks signed with HMAC-SHA256. Encrypted secret. Timing-safe validation.
- X-Kobana-Signature header
- HMAC-SHA256 algorithm
- Replay protection via timestamp
IP Allowlist (Enterprise)
RateLimitConfig per API key supports IP restriction. Country blocking via IP geolocation.
- IP restriction
- Country blocking
- Enterprise only
Rate Limiting
Limits per API key and endpoint. RateLimiterService uses Redis for distributed counter.
- Default 100 req/s per org
- Configurable burst
- 429 with Retry-After
Create custom role via API
bash
curl -X POST https://api.billing.kobana.com.br/v1/dashboard-roles \
-H "Authorization: Bearer sk_live_..." \
-H "Content-Type: application/json" \
-d '{
"name": "Support Operator",
"slug": "support-operator",
"description": "Can see everything and answer questions, cannot touch finances",
"permissions": [
"billing.dashboard.customers.list",
"billing.dashboard.customers.show",
"billing.dashboard.subscriptions.list",
"billing.dashboard.subscriptions.show",
"billing.dashboard.invoices.list",
"billing.dashboard.invoices.show",
"billing.dashboard.audit.list"
]
}'response
{
"id": "role_xyz",
"slug": "support-operator",
"permissions_count": 7,
"users_count": 0
}