@benzid.wael/secure-vault 0.0.1

package/src/electron/services/MenuService.js

@@ -0,0 +1,110 @@
+import electron from 'electron';
+
+const { Menu } = electron;
+
+export class MenuService {
+  constructor() {
+    this.mainWindow = null;
+  }
+
+  createMenu(mainWindow) {
+    this.mainWindow = mainWindow;
+
+    const template = [
+      {
+        label: 'File',
+        submenu: [
+          {
+            label: 'New Vault',
+            accelerator: 'CmdOrCtrl+N',
+            click: () => {
+              this.sendMenuEvent('menu-new-vault');
+            },
+          },
+          {
+            label: 'Open Vault',
+            accelerator: 'CmdOrCtrl+O',
+            click: () => {
+              this.sendMenuEvent('menu-open-vault');
+            },
+          },
+          {
+            label: 'Import Vault…',
+            accelerator: 'CmdOrCtrl+I',
+            click: () => {
+              this.sendMenuEvent('menu-import-vault');
+            },
+          },
+          { type: 'separator' },
+          {
+            label: 'Lock Vault',
+            accelerator: 'CmdOrCtrl+L',
+            click: () => {
+              this.sendMenuEvent('menu-lock-vault');
+            },
+          },
+          { type: 'separator' },
+          {
+            label: 'Configuration',
+            accelerator: 'CmdOrCtrl+S',
+            click: () => {
+              this.sendMenuEvent('menu-configuration');
+            },
+          },
+          { type: 'separator' },
+          { role: 'quit' },
+        ],
+      },
+      {
+        label: 'Edit',
+        submenu: [
+          { role: 'undo' },
+          { role: 'redo' },
+          { type: 'separator' },
+          { role: 'cut' },
+          { role: 'copy' },
+          { role: 'paste' },
+        ],
+      },
+      {
+        label: 'View',
+        submenu: [
+          { role: 'reload' },
+          { role: 'forceReload' },
+          { role: 'toggleDevTools' },
+          { type: 'separator' },
+          { role: 'resetZoom' },
+          { role: 'zoomIn' },
+          { role: 'zoomOut' },
+          { type: 'separator' },
+          { role: 'togglefullscreen' },
+        ],
+      },
+      {
+        label: 'Window',
+        submenu: [{ role: 'minimize' }, { role: 'close' }],
+      },
+    ];
+
+    const menu = Menu.buildFromTemplate(template);
+    Menu.setApplicationMenu(menu);
+  }
+
+  sendMenuEvent(eventName) {
+    if (this.mainWindow && !this.mainWindow.isDestroyed()) {
+      this.mainWindow.webContents.send(eventName);
+    }
+  }
+
+  updateMenu(menuItems) {
+    // Method to dynamically update menu items
+    // This can be used to enable/disable menu items based on application state
+    if (this.mainWindow && !this.mainWindow.isDestroyed()) {
+      // Implementation for dynamic menu updates
+    }
+  }
+
+  setMainWindow(mainWindow) {
+    this.mainWindow = mainWindow;
+  }
+}

package/src/electron/services/SecurityManager.js

@@ -0,0 +1,109 @@
+export class SecurityManager {
+  constructor() {
+    this.securityPolicies = new Map();
+  }
+
+  setupSecurityPolicies() {
+    // Define security policies
+    this.securityPolicies.set('windowCreation', 'deny');
+    this.securityPolicies.set('externalNavigation', 'deny');
+    this.securityPolicies.set('remoteContent', 'deny');
+  }
+
+  handleWebContentsCreated(contents) {
+    // Prevent new window creation
+    contents.on('new-window', (event, navigationUrl) => {
+      event.preventDefault();
+    });
+
+    // Additional security measures can be added here
+    contents.on('will-navigate', (event, navigationUrl) => {
+      // This is handled by WindowManager, but we can add additional checks here
+    });
+  }
+
+  validateInput(input, type) {
+    switch (type) {
+      case 'vaultName':
+        return this.validateVaultName(input);
+      case 'password':
+        return this.validatePassword(input);
+      case 'recoveryKey':
+        return this.validateRecoveryKey(input);
+      default:
+        return { isValid: true };
+    }
+  }
+
+  validateVaultName(vaultName) {
+    if (!vaultName || typeof vaultName !== 'string') {
+      return { isValid: false, error: 'Vault name must be a string' };
+    }
+
+    if (vaultName.length < 1 || vaultName.length > 50) {
+      return {
+        isValid: false,
+        error: 'Vault name must be between 1 and 50 characters',
+      };
+    }
+
+    // Check for invalid characters
+    const invalidChars = /[<>:"/\\|?*]/;
+    if (invalidChars.test(vaultName)) {
+      return {
+        isValid: false,
+        error: 'Vault name contains invalid characters',
+      };
+    }
+
+    return { isValid: true };
+  }
+
+  validatePassword(password) {
+    if (!password || typeof password !== 'string') {
+      return { isValid: false, error: 'Password must be a string' };
+    }
+
+    if (password.length < 8) {
+      return {
+        isValid: false,
+        error: 'Password must be at least 8 characters long',
+      };
+    }
+
+    return { isValid: true };
+  }
+
+  validateRecoveryKey(recoveryKey) {
+    if (!recoveryKey || typeof recoveryKey !== 'string') {
+      return { isValid: false, error: 'Recovery key must be a string' };
+    }
+
+    // Remove dashes and convert to uppercase
+    const cleanKey = recoveryKey.replace(/-/g, '').toUpperCase();
+
+    // Check if it matches expected format (base32, specific length)
+    const base32Regex = /^[ABCDEFGHIJKLMNOPQRSTUVWXYZ234567]+$/;
+    if (!base32Regex.test(cleanKey) || cleanKey.length < 50) {
+      return { isValid: false, error: 'Invalid recovery key format' };
+    }
+
+    return { isValid: true };
+  }
+
+  sanitizePath(filePath) {
+    // Basic path sanitization to prevent directory traversal
+    return filePath.replace(/\.\./g, '').replace(/\/\//g, '/');
+  }
+
+  isSecureOrigin(url) {
+    try {
+      const parsedUrl = new URL(url);
+      return (
+        parsedUrl.protocol === 'file:' || parsedUrl.hostname === 'localhost'
+      );
+    } catch {
+      return false;
+    }
+  }
+}

package/src/electron/services/VaultFileService.js

@@ -0,0 +1,137 @@
+import fs from 'fs-extra';
+import path from 'path';
+import os from 'os';
+
+export class VaultFileService {
+  constructor(vaultDirectory) {
+    // Resolve tilde and ensure absolute path
+    this.vaultDirectory = this._resolvePath(vaultDirectory);
+    this._ensureVaultDirectory();
+  }
+
+  _resolvePath(inputPath) {
+    if (inputPath.startsWith('~')) {
+      return path.join(os.homedir(), inputPath.slice(1));
+    }
+    return path.resolve(inputPath);
+  }
+
+  _ensureVaultDirectory() {
+    fs.ensureDirSync(this.vaultDirectory);
+  }
+
+  getVaultPath(vaultName) {
+    return path.join(this.vaultDirectory, `${vaultName}.vault`);
+  }
+
+  getBackupPath(vaultName) {
+    return path.join(this.vaultDirectory, `${vaultName}.vault.backup`);
+  }
+
+  getTempPath(vaultName) {
+    return path.join(this.vaultDirectory, `${vaultName}.vault.tmp`);
+  }
+
+  async vaultExists(vaultName) {
+    return fs.pathExists(this.getVaultPath(vaultName));
+  }
+
+  async readVaultPath(vaultPath) {
+    return fs.readJSON(vaultPath);
+  }
+
+  async writeVaultPath(vaultPath, data) {
+    return fs.writeJSON(vaultPath, data, { spaces: 2 });
+  }
+
+  async readVaultFile(vaultName) {
+    const vaultPath = this.getVaultPath(vaultName);
+    return this.readVaultPath(vaultPath);
+  }
+
+  async writeVaultFile(vaultName, data) {
+    const vaultPath = this.getVaultPath(vaultName);
+    return fs.writeJSON(vaultPath, data, { spaces: 2 });
+  }
+
+  async atomicWriteVaultFile(vaultName, data) {
+    const vaultPath = this.getVaultPath(vaultName);
+    const tempPath = this.getTempPath(vaultName);
+
+    // Write to temp file first
+    await fs.writeJSON(tempPath, data, { spaces: 2 });
+
+    // Verify temp file can be read
+    await fs.readJSON(tempPath);
+
+    // Move temp file to final location (atomic operation)
+    await fs.move(tempPath, vaultPath, { overwrite: true });
+  }
+
+  async createBackup(vaultName) {
+    const vaultPath = this.getVaultPath(vaultName);
+    const backupPath = this.getBackupPath(vaultName);
+
+    if (await fs.pathExists(vaultPath)) {
+      await fs.copy(vaultPath, backupPath);
+    }
+  }
+
+  async restoreFromBackup(vaultName) {
+    const vaultPath = this.getVaultPath(vaultName);
+    const backupPath = this.getBackupPath(vaultName);
+
+    if (await fs.pathExists(backupPath)) {
+      await fs.copy(backupPath, vaultPath);
+      await fs.remove(backupPath);
+      return true;
+    }
+    return false;
+  }
+
+  async hasBackup(vaultName) {
+    return fs.pathExists(this.getBackupPath(vaultName));
+  }
+
+  async deleteVault(vaultName) {
+    const vaultPath = this.getVaultPath(vaultName);
+    const timestamp = new Date().toISOString().replace(/[:.]/g, '-');
+    const deletedBackupPath = path.join(
+      this.vaultDirectory,
+      `${vaultName}.vault.deleted.${timestamp}`
+    );
+
+    // Create backup before deletion
+    await fs.copy(vaultPath, deletedBackupPath);
+
+    // Delete main vault file
+    await fs.remove(vaultPath);
+
+    // Clean up related files
+    const relatedFiles = [
+      this.getBackupPath(vaultName),
+      this.getTempPath(vaultName),
+      path.join(this.vaultDirectory, `${vaultName}.recovery`),
+    ];
+
+    for (const filePath of relatedFiles) {
+      if (await fs.pathExists(filePath)) {
+        await fs.remove(filePath);
+      }
+    }
+
+    return path.basename(deletedBackupPath);
+  }
+
+  async listVaults() {
+    try {
+      const files = await fs.readdir(this.vaultDirectory);
+      return files
+        .filter((file) => file.endsWith('.vault'))
+        .map((file) => file.replace('.vault', ''));
+    } catch (error) {
+      console.error('Error listing vaults:', error);
+      return [];
+    }
+  }
+}

package/src/electron/services/VaultRecoveryService.js

@@ -0,0 +1,134 @@
+import fs from 'fs-extra';
+import path from 'path';
+
+import chalk from 'chalk';
+
+import { VaultFileService } from './VaultFileService.js';
+import { VaultService } from './VaultService.js';
+import { PasswordRecoveryService } from './recovery/PasswordRecoveryService.js';
+import { KeyRecoveryService } from './recovery/KeyRecoveryService.js';
+import { CryptographyService } from './CryptographyService.js';
+import { Vault } from '../models/Vault.js';
+
+export class VaultRecoveryService {
+  constructor(vaultDir) {
+    this.vaultDir = vaultDir;
+  }
+
+  async recover(vaultName, masterPassword) {
+    const vfs = new VaultFileService(this.vaultDir);
+    if (!vfs.vaultExists(vaultName)) {
+      console.error(chalk.red('Vault not found!'));
+      return false;
+    }
+
+    const vs = new VaultService(this.vaultDir);
+    const is_valid = await vs.verifyPassword(vaultName, masterPassword);
+    if (!is_valid.success) {
+      console.error(chalk.red(is_valid.error));
+      return false;
+    }
+
+    const vaultFile = await vfs.readVaultFile(vaultName);
+
+    const salt = Buffer.from(vaultFile.salt, 'hex');
+    const key = CryptographyService.deriveKey(masterPassword, salt);
+    // checking data
+    const encryptedData = {
+      encrypted: vaultFile.encrypted,
+      authTag: vaultFile.authTag,
+      iv: vaultFile.iv,
+    };
+
+    let vaultData = CryptographyService.decrypt(encryptedData, key);
+    let vault = Vault.fromJSON(vaultData, vaultName);
+    vaultData = null;
+    let serializedVault = vault.toJSON();
+    vault = null;
+    serializedVault = null;
+
+    console.log(vaultFile);
+    const existingMetadata = vaultFile.recoveryMetadata || {};
+    let recoveryMetadataFlatten = [];
+
+    await Promise.all(
+      [
+        new PasswordRecoveryService(this.vaultDir),
+        new KeyRecoveryService(this.vaultDir),
+      ].flatMap(async (recovery) => {
+        const methodId = recovery.getRecoveryMethodId();
+        const metadata = existingMetadata[methodId] || {};
+        if (!recovery.isValid(vaultName, metadata)) {
+          console.error(
+            chalk.red('❤️‍🩹 Invalid recovery data found, method: ', methodId)
+          );
+          console.log('🛟 Fixing recovery data');
+
+          const recoveryData = await recovery.generate();
+          const newMetadata = recovery.createMetadata(
+            vaultName,
+            masterPassword,
+            recoveryData
+          );
+          console.log(newMetadata);
+          recoveryMetadataFlatten.push({
+            name: methodId,
+            metadata: newMetadata,
+          });
+          return;
+        }
+
+        chalk.green('✅ Valid recovery data for method: ', methodId);
+        recoveryMetadataFlatten.push({
+          name: methodId,
+          metadata: metadata,
+        });
+      })
+    );
+
+    console.log(recoveryMetadataFlatten);
+    const recoveryMetadata = recoveryMetadataFlatten.reduce((obj, item) => {
+      obj[item.name] = item.metadata;
+      return obj;
+    }, {});
+
+    console.log(chalk.green('✅ Successfully recovered vault!'));
+    const newVaultData = {
+      ...encryptedData,
+      salt: vaultFile.salt,
+      recoveryMetadata,
+    };
+
+    // create in temp file
+    // Atomically write the new vault file
+    const tempPath = vfs.getTempPath(vaultName);
+    await vfs.writeVaultPath(tempPath, newVaultData);
+    // check
+    const is_temp_vault_valid = await vs.verifyPassword(
+      vaultName,
+      masterPassword,
+      tempPath
+    );
+    console.log(is_temp_vault_valid);
+    if (!is_temp_vault_valid.success) {
+      console.error(chalk.red(is_valid.error));
+      return false;
+    }
+
+    console.log(chalk.green('✅ Temporary vault is working as expected!'));
+    let idx = 0;
+    let fileName = `${vaultName}-recovered.vault`;
+    while (await fs.pathExists(path.join(this.vaultDir, finalName))) {
+      idx++;
+      fileName = `${vaultName}-recovered-${idx}.vault`;
+    }
+    // Move temp file to final location (atomic operation)
+    await fs.move(tempPath, path.join(this.vaultDir, finalName), {
+      overwrite: true,
+    });
+    console.log(
+      chalk.green('✅ Vault recovered successfully, new Vault: ', fileName)
+    );
+    return true;
+  }
+}