NoorinaLabs Exposes Critical Security Flaw: User PII Stored in Graph Database with No Isolation

A critical architectural flaw has been exposed within NoorinaLabs' core infrastructure. Sensitive user data, including personally identifiable information (PII), authentication tokens, and session details, is currently stored as `USER` nodes within the company's primary `noorinalabs-isnad-graph` Neo4j database. This design fundamentally misuses a graph database—intended for traversing relationships like hadith chains—as a relational user management system, creating a severe security and compliance risk. The lack of a service boundary means a single vulnerability in the graph query layer could expose the entire user dataset.

The problem is systemic. All user-related functions—authentication middleware, session tracking, email verification, and subscription management—are embedded directly into the isnad-graph API. This creates a monolithic architecture where PII has no isolation from the application's core hadith and narrator data. The current setup violates basic security principles by commingling sensitive personal data with non-sensitive application data in a database not designed for secure user storage.

In response, NoorinaLabs has initiated a major security refactor. The solution is to extract all user functionality into a new, dedicated service named `noorinalabs-user-service`. This service will run on a PostgreSQL database, providing the necessary relational structure and isolation for PII. The standalone FastAPI will handle all user, authentication, role-based access control (RBAC), and session operations, creating a clear security boundary. This move is a direct attempt to mitigate the identified risk and establish proper data governance, though the transition period itself may introduce new operational complexities.