Security & Session Management

Engineering data is critical infrastructure. A drill plan handed to a site operator must be exactly what the design engineer approved — no corrupted saves, no mid-session data loss, no unauthorized access. BlastCAD’s security architecture is built around this principle.

Table of contents

  1. Authentication
    1. JWT (JSON Web Tokens)
    2. Two-Factor Authentication (2FA)
    3. Rate Limiting
    4. Registration & Password Delivery
  2. AuthGuard — Session Protection
    1. How AuthGuard Works
    2. The Lockdown Sequence
  3. Auto-Save & Recovery
  4. Role-Based Access Control
    1. Admin Panel
  5. Block Model Import Security
  6. Session Hygiene
  7. Security Best Practices

Authentication

JWT (JSON Web Tokens)

BlastCAD uses JWT (JSON Web Token) authentication for all API communication. On a successful login:

  1. The server issues a signed JWT containing your user identity and expiration timestamp.
  2. The token is stored securely in browser localStorage under the key blastcad_token.
  3. Every subsequent API request attaches the token in the Authorization: Bearer <token> header.
  4. The server validates the signature and expiration on every request — no session state is maintained server-side.

Token lifetime: 1440 minutes (24 hours) from login.

Two-Factor Authentication (2FA)

BlastCAD supports TOTP (Time-based One-Time Password) two-factor authentication, compatible with any standard authenticator app (Google Authenticator, Authy, Microsoft Authenticator, 1Password, etc.).

Enabling 2FA:

  1. Go to User MenuProfile SettingsSecurity.
  2. Click Enable 2FA.
  3. Scan the displayed QR code with your authenticator app.
  4. Enter the first 6-digit code to confirm pairing.
  5. Store the backup codes in a secure location.

Once enabled, every login requires both your password and the current TOTP code. Admin accounts are strongly recommended to enable 2FA.

Disabling 2FA:

  • Go to Profile Settings → Security → Disable 2FA.
  • Requires your current TOTP code to confirm.

Rate Limiting

Login attempts are rate-limited to 5 requests per minute per IP address. Exceeding this limit returns 429 Too Many Requests. This prevents brute-force credential attacks.

Registration is rate-limited to 3 requests per hour per IP address.

Registration & Password Delivery

When a new user registers (or is created by an admin), BlastCAD generates a random, strong password and emails it to the user’s address. There is no user-chosen password at registration. This design means:

  • The user must have access to their email inbox before they can log in.
  • A correct login with the emailed password implicitly confirms email delivery — no separate verification link is required.
  • If a user forgets their password, they cannot self-reset. They must contact their administrator, who can generate and email a new password from the Admin Panel.

There is no “Forgot Password” link on the login page — this is intentional.

AuthGuard — Session Protection

The most dangerous failure mode in a CAD application is the “ghost login”: the server’s JWT has expired, but the UI remains fully active. Any save attempt with an expired token results in a 401 Unauthorized response — and potentially hours of unsaved work are lost.

BlastCAD eliminates this risk with AuthGuard — a client-side sentry that sits between every API call and the server.

How AuthGuard Works

Every HTTP response from the backend passes through a centralized Axios interceptor:

Client → API Request → Server
Server → Response → Axios Interceptor
                         ↓
                   HTTP 200? → Process normally
                   HTTP 401? → Trigger AuthGuard lockdown
                   HTTP 403? → Show "Access Denied" message

The Lockdown Sequence

When a 401 Unauthorized response is intercepted:

  1. Global state update: isSessionExpired = true is set in the application store.
  2. Interface freeze: A full-screen, blurred overlay locks the entire workspace. No further user actions or API calls are possible.
  3. Data preservation: The complete current project state (all holes, CAD entities, charges, layers) remains intact in memory — frozen but not lost.
  4. Re-authentication prompt: A modal prompts the user to log back in. The session recovery does not require a page reload.
  5. Seamless resume: Once the new token is issued, the overlay is dismissed and the workspace is exactly as it was before the token expired.

No data loss by design. The AuthGuard lockdown is triggered by any 401 response — including token expiry during a long design session. Engineers can safely work for up to 24 hours before needing to re-authenticate.

Auto-Save & Recovery

Even AuthGuard’s lockdown cannot protect against browser crashes or accidental tab closure. BlastCAD mitigates this with IndexedDB auto-save:

  • Every significant state change (hole added, entity modified, charge applied) is persisted to the browser’s local IndexedDB recovery database.
  • On next launch, if a recovery snapshot is detected, BlastCAD prompts: “A previous session was detected. Would you like to recover it?”
  • Accepting restores the full project state including all holes, CAD entities, and charges.

The recovery snapshot is automatically deleted when you explicitly save a .bcp file or clear the project.

Role-Based Access Control

BlastCAD supports two user roles:

Role Capabilities
User Full access to design, import/export, database management, and analytics
Admin All user capabilities + user management and account administration

Admin Panel

Admin accounts can access the Admin Panel from the top bar. It provides user management and account administration capabilities. Contact your administrator if you need access provisioned, your password reset, or your 2FA cleared.

Block Model Import Security

Datamine block models are processed entirely client-side via a Web Worker to avoid uploading potentially confidential geological data to the server. However, the processed index must be securely stored. BlastCAD handles this with:

  1. HMAC token request: Before saving a processed model, the client requests a time-limited HMAC token from the server (POST /api/import/request_model_token).
  2. Timestamp verification: The token contains a timestamp. The server rejects any save request with a token older than 5 minutes.
  3. Signature verification: The server verifies the HMAC signature before accepting the processed model data.

This ensures that even though processing is client-side, only authenticated, time-valid sessions can persist model data.

Session Hygiene

On explicit logout:

  1. The JWT token is removed from localStorage.
  2. The IndexedDB recovery snapshot is cleared.
  3. All in-memory project state is reset.
  4. The browser is redirected to the login page.

No sensitive project data persists in the browser after logout. This is particularly important on shared workstations.

Security Best Practices

Recommendation Reason
Enable 2FA on all accounts Prevents credential-only attacks
Use Chrome or Edge in a dedicated browser profile Isolates BlastCAD sessions from other browser tabs
Do not share login credentials Audit logs track actions per user account
Save .bcp files regularly Supplements auto-save with explicit version snapshots
Log out when leaving a shared workstation Prevents unauthorized access to an unlocked session
Keep the browser updated WebGL2 security patches are delivered via browser updates

Back to top

BlastCAD © 2026 — All rights reserved.

Command the rock.
BlastCAD © 2026 — All rights reserved.