npm - @joystick.js/db-canary - Versions diffs - 0.0.0-canary.2295 → 0.0.0-canary.2296 - Mend

@joystick.js/db-canary 0.0.0-canary.2295 → 0.0.0-canary.2296

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (17) hide show

package/dist/client/index.js +1 -1
package/dist/server/index.js +1 -1
package/dist/server/lib/operations/admin.js +1 -1
package/dist/server/lib/user_auth_manager.js +1 -0
package/package.json +2 -2
package/src/client/index.js +21 -7
package/src/server/index.js +60 -19
package/src/server/lib/operations/admin.js +91 -2
package/src/server/lib/user_auth_manager.js +745 -0
package/tests/client/index.test.js +468 -69
package/tests/server/index.test.js +210 -43
package/tests/server/integration/authentication_integration.test.js +65 -33
package/tests/server/integration/development_mode_authentication.test.js +21 -7
package/tests/server/integration/production_safety_integration.test.js +24 -34
package/tests/server/integration/replication_integration.test.js +17 -25
package/tests/server/lib/operations/admin.test.js +39 -5
package/tests/server/lib/user_auth_manager.test.js +525 -0

package/src/server/lib/user_auth_manager.js ADDED Viewed

@@ -0,0 +1,745 @@
+/**
+ * @fileoverview User-based authentication manager with username/password validation.
+ *
+ * Provides comprehensive user authentication services including user management,
+ * username/password validation, rate limiting with exponential backoff, and secure
+ * user storage in admin database. Replaces single-password authentication with
+ * proper user management system.
+ */
+import { readFileSync, writeFileSync, existsSync } from 'fs';
+import bcrypt from 'bcrypt';
+import crypto from 'crypto';
+import create_logger from './logger.js';
+const { create_context_logger } = create_logger('user_auth_manager');
+const log = create_context_logger();
+import { load_settings as load_joystick_settings, has_settings } from './load_settings.js';
+/** @type {number} BCrypt salt rounds for password hashing */
+const SALT_ROUNDS = 12;
+/** @type {number} Rate limiting window in milliseconds (1 minute) */
+const RATE_LIMIT_WINDOW = 60 * 1000;
+/** @type {number} Maximum failed attempts before rate limiting */
+const MAX_FAILED_ATTEMPTS = 5;
+/** @type {number} Base backoff duration in milliseconds */
+const BACKOFF_BASE = 1000;
+/** @type {number} Backoff multiplier for exponential backoff */
+const BACKOFF_MULTIPLIER = 2;
+/** @type {string} Admin database name for server-level data */
+const ADMIN_DATABASE = '_admin';
+/** @type {string} Users collection name */
+const USERS_COLLECTION = '_users';
+/** @type {Object|null} Cached settings data */
+let settings_data = null;
+/** @type {Map<string, Array<number>>} Map of IP addresses to failed attempt timestamps */
+let failed_attempts = new Map();
+/** @type {Map<string, Object>} Map of IP addresses to rate limit information */
+let rate_limits = new Map();
+/** @type {Object|null} Reference to storage engine for user data */
+let storage_engine = null;
+/**
+ * Sets the storage engine reference for user data operations.
+ * @param {Object} engine - Storage engine instance
+ */
+const set_storage_engine = (engine) => {
+  storage_engine = engine;
+};
+/**
+ * Generates a cryptographically secure random password.
+ * @returns {string} 32-character hexadecimal password
+ */
+const generate_secure_password = () => {
+  return crypto.randomBytes(16).toString('hex');
+};
+/**
+ * Loads settings data from environment variable.
+ * @returns {Object|null} Loaded settings data or null if not available
+ */
+const load_settings_data = () => {
+  try {
+    if (!has_settings()) {
+      return null;
+    }
+    const parsed_data = load_joystick_settings();
+    settings_data = parsed_data;
+    if (parsed_data.authentication && parsed_data.authentication.failed_attempts) {
+      failed_attempts = new Map(Object.entries(parsed_data.authentication.failed_attempts));
+    }
+    if (parsed_data.authentication && parsed_data.authentication.rate_limits) {
+      rate_limits = new Map(Object.entries(parsed_data.authentication.rate_limits));
+    }
+    log.info('Settings data loaded successfully from environment variable');
+    return settings_data;
+  } catch (error) {
+    log.error('Failed to load settings data', { error: error.message });
+    throw new Error(`Failed to load settings data: ${error.message}`);
+  }
+};
+/**
+ * Updates the JOYSTICK_DB_SETTINGS environment variable with current state.
+ */
+const save_settings_data = () => {
+  try {
+    if (!settings_data) {
+      // NOTE: Create minimal settings data if none exists (for tests)
+      settings_data = {
+        port: 1983,
+        authentication: {}
+      };
+    }
+    if (!settings_data.authentication) {
+      settings_data.authentication = {};
+    }
+    settings_data.authentication.failed_attempts = Object.fromEntries(failed_attempts);
+    settings_data.authentication.rate_limits = Object.fromEntries(rate_limits);
+    process.env.JOYSTICK_DB_SETTINGS = JSON.stringify(settings_data);
+    log.info('Settings data saved successfully to environment variable');
+  } catch (error) {
+    log.error('Failed to save settings data', { error: error.message });
+    // NOTE: Don't throw in test environment to avoid breaking tests
+    if (process.env.NODE_ENV !== 'test') {
+      throw new Error(`Failed to save settings data: ${error.message}`);
+    }
+  }
+};
+/**
+ * Checks if an IP address is whitelisted (localhost addresses).
+ * @param {string} ip - IP address to check
+ * @returns {boolean} True if IP is whitelisted
+ */
+const is_ip_whitelisted = (ip) => {
+  if (process.env.NODE_ENV === 'test') {
+    return false;
+  }
+  const whitelisted_ips = ['127.0.0.1', '::1', 'localhost'];
+  return whitelisted_ips.includes(ip);
+};
+/**
+ * Extracts client IP address from socket connection.
+ * @param {net.Socket} socket - Socket connection
+ * @returns {string} Client IP address or localhost fallback
+ */
+const get_client_ip = (socket) => {
+  return socket.remoteAddress || '127.0.0.1';
+};
+/**
+ * Checks if an IP address is currently rate limited.
+ * @param {string} ip - IP address to check
+ * @returns {boolean} True if IP is rate limited
+ */
+const is_rate_limited = (ip) => {
+  if (is_ip_whitelisted(ip)) {
+    return false;
+  }
+  const now = Date.now();
+  const attempts = failed_attempts.get(ip) || [];
+  const recent_attempts = attempts.filter(timestamp => now - timestamp < RATE_LIMIT_WINDOW);
+  if (recent_attempts.length >= MAX_FAILED_ATTEMPTS) {
+    const rate_limit_info = rate_limits.get(ip);
+    if (rate_limit_info && now < rate_limit_info.expires_at) {
+      return true;
+    }
+    const backoff_duration = Math.min(
+      BACKOFF_BASE * Math.pow(BACKOFF_MULTIPLIER, Math.floor(recent_attempts.length / MAX_FAILED_ATTEMPTS)),
+      30 * 60 * 1000
+    );
+    rate_limits.set(ip, {
+      expires_at: now + backoff_duration,
+      attempts: recent_attempts.length
+    });
+    save_settings_data();
+    log.warn('IP rate limited', {
+      ip,
+      attempts: recent_attempts.length,
+      backoff_duration_ms: backoff_duration
+    });
+    return true;
+  }
+  return false;
+};
+/**
+ * Records a failed authentication attempt for an IP address.
+ * @param {string} ip - IP address that failed authentication
+ */
+const record_failed_attempt = (ip) => {
+  if (is_ip_whitelisted(ip)) {
+    return;
+  }
+  const now = Date.now();
+  const attempts = failed_attempts.get(ip) || [];
+  attempts.push(now);
+  const recent_attempts = attempts.filter(timestamp => now - timestamp < RATE_LIMIT_WINDOW);
+  failed_attempts.set(ip, recent_attempts);
+  log.warn('Failed authentication attempt recorded', {
+    ip,
+    total_recent_attempts: recent_attempts.length
+  });
+  save_settings_data();
+};
+/**
+ * Clears failed attempts and rate limits for an IP address.
+ * @param {string} ip - IP address to clear
+ */
+const clear_failed_attempts = (ip) => {
+  failed_attempts.delete(ip);
+  rate_limits.delete(ip);
+  save_settings_data();
+};
+/**
+ * Creates the user key for storage.
+ * @param {string} username - Username
+ * @returns {string} Storage key for user
+ */
+const create_user_key = (username) => {
+  return `${ADMIN_DATABASE}:${USERS_COLLECTION}:${username}`;
+};
+/**
+ * Creates a user object with required fields.
+ * @param {string} username - Username
+ * @param {string} password - Plain text password
+ * @param {string} role - User role (default: 'user')
+ * @returns {Object} User object with hashed password
+ */
+const create_user_object = async (username, password, role = 'user') => {
+  const password_hash = await bcrypt.hash(password, SALT_ROUNDS);
+  const now = new Date().toISOString();
+  return {
+    username,
+    password_hash,
+    role,
+    active: true,
+    created_at: now,
+    last_login: null
+  };
+};
+/**
+ * Creates a new user in the system.
+ * @param {string} username - Username (must be unique)
+ * @param {string} password - Plain text password
+ * @param {string} email - User email
+ * @param {string} role - User role (default: 'user')
+ * @returns {Promise<Object>} Created user object or error result
+ */
+const create_user = async (username, password, email, role = 'user') => {
+  try {
+    if (!storage_engine) {
+      return { success: false, error: 'Storage engine not initialized' };
+    }
+    if (!username || !password) {
+      return { success: false, error: 'Username and password are required' };
+    }
+    if (typeof username !== 'string' || username.trim().length === 0) {
+      return { success: false, error: 'Username is required and must be a non-empty string' };
+    }
+    if (typeof password !== 'string' || password.length < 6) {
+      return { success: false, error: 'Password is required and must be at least 6 characters' };
+    }
+    if (role && !['admin', 'user'].includes(role)) {
+      return { success: false, error: 'Role must be either "admin" or "user"' };
+    }
+    const user_key = create_user_key(username.trim().toLowerCase());
+    // NOTE: Check if user already exists.
+    const existing_user = await storage_engine.get(user_key);
+    if (existing_user) {
+      return { success: false, error: 'User already exists' };
+    }
+    const user_object = await create_user_object(username.trim().toLowerCase(), password, role);
+    await storage_engine.put(user_key, user_object);
+    log.info('User created successfully', {
+      username: user_object.username,
+      role: user_object.role
+    });
+    const { password_hash, ...user_without_password } = user_object;
+    return {
+      success: true,
+      message: 'User created successfully',
+      ok: 1,
+      user: user_without_password
+    };
+  } catch (error) {
+    return { success: false, error: error.message };
+  }
+};
+/**
+ * Retrieves a user by username.
+ * @param {string} username - Username to retrieve
+ * @returns {Promise<Object>} User object or error result
+ */
+const get_user = async (username) => {
+  try {
+    if (!storage_engine) {
+      return { success: false, error: 'Storage engine not initialized' };
+    }
+    if (!username) {
+      return { success: false, error: 'Username is required' };
+    }
+    const user_key = create_user_key(username.trim().toLowerCase());
+    const user = await storage_engine.get(user_key);
+    if (!user) {
+      return { success: false, error: 'User not found' };
+    }
+    const { password_hash, ...user_without_password } = user;
+    return { success: true, user: user_without_password };
+  } catch (error) {
+    return { success: false, error: error.message };
+  }
+};
+/**
+ * Updates a user's information.
+ * @param {string} username - Username to update
+ * @param {Object} updates - Fields to update
+ * @returns {Promise<Object>} Update result or error
+ */
+const update_user = async (username, updates) => {
+  try {
+    if (!storage_engine) {
+      return { success: false, error: 'Storage engine not initialized' };
+    }
+    if (!username) {
+      return { success: false, error: 'Username is required' };
+    }
+    // NOTE: Get user directly from storage without success/error wrapper
+    const user_key = create_user_key(username.trim().toLowerCase());
+    const user = await storage_engine.get(user_key);
+    if (!user) {
+      return { success: false, error: `User '${username}' not found` };
+    }
+    // NOTE: Validate email format if provided
+    if (updates.email && !/^[^\s@]+@[^\s@]+\.[^\s@]+$/.test(updates.email)) {
+      return { success: false, error: 'Invalid email format' };
+    }
+    // NOTE: Validate role if provided
+    if (updates.role && !['admin', 'user'].includes(updates.role)) {
+      return { success: false, error: 'Role must be either "admin" or "user"' };
+    }
+    const allowed_updates = ['role', 'active', 'email'];
+    const filtered_updates = {};
+    for (const [key, value] of Object.entries(updates)) {
+      if (allowed_updates.includes(key)) {
+        filtered_updates[key] = value;
+      }
+    }
+    const updated_user = {
+      ...user,
+      ...filtered_updates
+    };
+    await storage_engine.put(user_key, updated_user);
+    log.info('User updated successfully', {
+      username,
+      updates: filtered_updates
+    });
+    return { success: true, message: 'User updated successfully' };
+  } catch (error) {
+    return { success: false, error: error.message };
+  }
+};
+/**
+ * Resets a user's password.
+ * @param {string} username - Username
+ * @param {string} new_password - New plain text password
+ * @returns {Promise<Object>} Reset result or error
+ */
+const reset_user_password = async (username, new_password) => {
+  try {
+    if (!storage_engine) {
+      return { success: false, error: 'Storage engine not initialized' };
+    }
+    if (!new_password || typeof new_password !== 'string' || new_password.length < 6) {
+      return { success: false, error: 'Password must be at least 6 characters long' };
+    }
+    // NOTE: Get user directly from storage
+    const user_key = create_user_key(username.trim().toLowerCase());
+    const user = await storage_engine.get(user_key);
+    if (!user) {
+      return { success: false, error: `User '${username}' not found` };
+    }
+    const password_hash = await bcrypt.hash(new_password, SALT_ROUNDS);
+    const updated_user = {
+      ...user,
+      password_hash
+    };
+    await storage_engine.put(user_key, updated_user);
+    log.info('User password reset successfully', { username });
+    return { success: true, message: 'Password reset successfully' };
+  } catch (error) {
+    return { success: false, error: error.message };
+  }
+};
+/**
+ * Deletes a user from the system.
+ * @param {string} username - Username to delete
+ * @returns {Promise<Object>} Delete result or error
+ */
+const delete_user = async (username) => {
+  try {
+    if (!storage_engine) {
+      return { success: false, error: 'Storage engine not initialized' };
+    }
+    // NOTE: Get user directly from storage
+    const user_key = create_user_key(username.trim().toLowerCase());
+    const user = await storage_engine.get(user_key);
+    if (!user) {
+      return { success: false, error: 'User not found' };
+    }
+    await storage_engine.del(user_key);
+    log.info('User deleted successfully', { username });
+    return { success: true, message: 'User deleted successfully' };
+  } catch (error) {
+    return { success: false, error: error.message };
+  }
+};
+/**
+ * Lists all users in the system.
+ * @returns {Promise<Object>} User list result or error
+ */
+const list_users = async () => {
+  try {
+    if (!storage_engine) {
+      return { success: false, error: 'Storage engine not initialized' };
+    }
+    const users = [];
+    const user_prefix = `${ADMIN_DATABASE}:${USERS_COLLECTION}:`;
+    // NOTE: Use LMDB's getRange method to scan for user keys.
+    try {
+      for (const { key, value } of storage_engine.getRange({
+        start: user_prefix,
+        end: user_prefix + '\xFF'
+      })) {
+        if (value && typeof value === 'object') {
+          const { password_hash, ...user_without_password } = value;
+          users.push(user_without_password);
+        }
+      }
+    } catch (error) {
+      log.error('Failed to list users', { error: error.message });
+      return { success: false, error: error.message };
+    }
+    return { success: true, users: users.sort((a, b) => a.username.localeCompare(b.username)) };
+  } catch (error) {
+    return { success: false, error: error.message };
+  }
+};
+/**
+ * Verifies username and password credentials.
+ * @param {string} username - Username
+ * @param {string} password - Plain text password
+ * @param {string} ip - Client IP address for rate limiting
+ * @returns {Promise<Object>} Authentication result or error
+ */
+const verify_credentials = async (username, password, ip) => {
+  try {
+    if (!storage_engine) {
+      return { success: false, error: 'Storage engine not initialized' };
+    }
+    if (!username || !password) {
+      return { success: false, error: 'Username and password are required' };
+    }
+    if (is_rate_limited(ip)) {
+      return { success: false, error: 'Too many failed attempts' };
+    }
+    const start_time = Date.now();
+    try {
+      // NOTE: Get user directly from storage
+      const user_key = create_user_key(username.trim().toLowerCase());
+      const user = await storage_engine.get(user_key);
+      if (!user) {
+        record_failed_attempt(ip);
+        log.warn('Authentication failed - user not found', { username, ip });
+        return { success: false, error: 'Invalid credentials' };
+      }
+      if (!user.active) {
+        record_failed_attempt(ip);
+        log.warn('Authentication failed - user inactive', { username, ip });
+        return { success: false, error: 'Account is disabled' };
+      }
+      const is_valid = await bcrypt.compare(password, user.password_hash);
+      const verification_time = Date.now() - start_time;
+      const min_time = 100;
+      if (verification_time < min_time) {
+        await new Promise(resolve => setTimeout(resolve, min_time - verification_time));
+      }
+      if (is_valid) {
+        clear_failed_attempts(ip);
+        // NOTE: Update last login timestamp.
+        const updated_user = {
+          ...user,
+          last_login: new Date().toISOString()
+        };
+        await storage_engine.put(user_key, updated_user);
+        log.info('Authentication successful', { username, ip });
+        const { password_hash, ...user_without_password } = updated_user;
+        return { success: true, user: user_without_password };
+      } else {
+        record_failed_attempt(ip);
+        log.warn('Authentication failed - invalid password', { username, ip });
+        return { success: false, error: 'Invalid credentials' };
+      }
+    } catch (error) {
+      record_failed_attempt(ip);
+      log.error('Authentication error', { username, ip, error: error.message });
+      return { success: false, error: error.message };
+    }
+  } catch (error) {
+    return { success: false, error: error.message };
+  }
+};
+/**
+ * Sets up initial admin user if no users exist.
+ * @param {string} username - Admin username
+ * @param {string} password - Admin password
+ * @param {string} email - Admin email (optional)
+ * @returns {Promise<Object>} Setup result with admin credentials
+ */
+const setup_initial_admin = async (username, password, email = null) => {
+  try {
+    if (!storage_engine) {
+      return { success: false, error: 'Storage engine not initialized' };
+    }
+    // NOTE: Validate required fields.
+    if (!username || !password || (email !== null && !email)) {
+      return { success: false, error: 'Username, password, and email are required' };
+    }
+    if (password.length < 6) {
+      return { success: false, error: 'Password must be at least 6 characters long' };
+    }
+    if (email && !/^[^\s@]+@[^\s@]+\.[^\s@]+$/.test(email)) {
+      return { success: false, error: 'Invalid email format' };
+    }
+    // NOTE: Check if any users already exist.
+    const existing_users_result = await list_users();
+    if (existing_users_result.success && existing_users_result.users.length > 0) {
+      return { success: false, error: 'Initial admin user already exists' };
+    }
+    // NOTE: Create admin user with email parameter
+    const admin_user_result = await create_user(username, password, email || `${username}@localhost`, 'admin');
+    if (!admin_user_result.success) {
+      return admin_user_result;
+    }
+    const now = new Date().toISOString();
+    // NOTE: Update settings to mark authentication as configured.
+    if (!settings_data) {
+      load_settings_data();
+    }
+    if (!settings_data) {
+      settings_data = {
+        port: 1983,
+        cluster: true,
+        worker_count: 2,
+        authentication: {},
+        backup: { enabled: false },
+        replication: { enabled: false, role: "primary" },
+        auto_indexing: { enabled: true, threshold: 100 },
+        performance: {
+          monitoring_enabled: true,
+          log_slow_queries: true,
+          slow_query_threshold_ms: 1000
+        },
+        logging: { level: "info", structured: true }
+      };
+    }
+    settings_data.authentication = {
+      user_based: true,
+      created_at: now,
+      last_updated: now,
+      failed_attempts: {},
+      rate_limits: {}
+    };
+    save_settings_data();
+    log.info('Initial admin setup completed', {
+      admin_username: admin_user_result.username,
+      created_at: now
+    });
+    return {
+      success: true,
+      admin_user: admin_user_result,
+      message: 'Initial admin user created successfully',
+      ok: 1
+    };
+  } catch (error) {
+    return { success: false, error: error.message };
+  }
+};
+/**
+ * Gets authentication statistics and status information.
+ * @returns {Promise<Object>} Authentication statistics
+ */
+const get_auth_stats = async () => {
+  const auth_configured = !!(settings_data && settings_data.authentication && settings_data.authentication.user_based);
+  let user_count = 0;
+  if (auth_configured) {
+    const users_result = await list_users();
+    user_count = users_result.success ? users_result.users.length : 0;
+  }
+  return {
+    configured: auth_configured,
+    user_based: true,
+    user_count,
+    failed_attempts_count: failed_attempts.size,
+    rate_limited_ips: rate_limits.size,
+    created_at: settings_data?.authentication?.created_at || null,
+    last_updated: settings_data?.authentication?.last_updated || null
+  };
+};
+/**
+ * Initializes the user authentication manager.
+ */
+const initialize_user_auth_manager = () => {
+  try {
+    load_settings_data();
+  } catch (error) {
+    log.warn('Could not load settings data on startup', { error: error.message });
+  }
+};
+/**
+ * Resets authentication state (used for testing).
+ */
+const reset_auth_state = () => {
+  settings_data = null;
+  failed_attempts = new Map();
+  rate_limits = new Map();
+  storage_engine = null;
+  if (process.env.JOYSTICK_DB_SETTINGS) {
+    delete process.env.JOYSTICK_DB_SETTINGS;
+  }
+};
+export {
+  set_storage_engine,
+  create_user,
+  get_user,
+  update_user,
+  reset_user_password,
+  delete_user,
+  list_users,
+  verify_credentials,
+  setup_initial_admin,
+  get_client_ip,
+  is_rate_limited,
+  get_auth_stats,
+  initialize_user_auth_manager,
+  reset_auth_state
+};