@omindu/yaksha 1.0.0

package/src/security/auth.js

@@ -0,0 +1,441 @@
+'use strict';
+
+/**
+ * Yaksha Authentication System
+ * Supports multiple authentication methods: password, token, certificate
+ */
+
+const crypto = require('crypto');
+const EventEmitter = require('events');
+
+// Authentication methods
+const AUTH_METHODS = {
+  PASSWORD: 'password',
+  TOKEN: 'token',
+  CERTIFICATE: 'certificate'
+};
+
+// Authentication states
+const AUTH_STATES = {
+  PENDING: 'pending',
+  AUTHENTICATED: 'authenticated',
+  FAILED: 'failed',
+  LOCKED: 'locked'
+};
+
+class Authentication extends EventEmitter {
+  constructor(method = 'token', options = {}) {
+    super();
+    
+    this.method = method;
+    this.maxAttempts = options.maxAttempts || 10;
+    this.lockoutDuration = options.lockoutDuration || 300000; // 5 minutes
+    this.rateLimitWindow = options.rateLimitWindow || 60000; // 1 minute
+    this.maxAttemptsPerWindow = options.maxAttemptsPerWindow || 5;
+    this.sessionTimeout = options.sessionTimeout || 3600000; // 1 hour
+    this.tokenRotationInterval = options.tokenRotationInterval || 86400000; // 24 hours
+
+    // Storage for credentials and sessions
+    this.credentials = new Map(); // username/id -> credential data
+    this.sessions = new Map();    // sessionId -> session data
+    this.attempts = new Map();    // identifier -> attempt data
+    this.lockouts = new Map();    // identifier -> lockout timestamp
+  }
+
+  /**
+   * Hash password using PBKDF2
+   */
+  _hashPassword(password, salt) {
+    salt = salt || crypto.randomBytes(32);
+    const hash = crypto.pbkdf2Sync(password, salt, 10000, 64, 'sha512');
+    return { hash, salt };
+  }
+
+  /**
+   * Verify password (constant-time comparison)
+   */
+  _verifyPassword(password, storedHash, salt) {
+    const { hash } = this._hashPassword(password, salt);
+    return crypto.timingSafeEqual(hash, storedHash);
+  }
+
+  /**
+   * Generate random token
+   */
+  _generateToken() {
+    return crypto.randomBytes(32).toString('hex');
+  }
+
+  /**
+   * Generate challenge for challenge-response authentication
+   */
+  _generateChallenge() {
+    return crypto.randomBytes(32);
+  }
+
+  /**
+   * Verify TOTP (Time-based One-Time Password) for 2FA
+   */
+  _verifyTOTP(token, secret, window = 1) {
+    // Simplified TOTP verification
+    // In production, use a proper TOTP library
+    const time = Math.floor(Date.now() / 30000); // 30-second window
+    
+    for (let i = -window; i <= window; i++) {
+      const expectedToken = this._generateTOTP(secret, time + i);
+      if (token === expectedToken) {
+        return true;
+      }
+    }
+    
+    return false;
+  }
+
+  /**
+   * Generate TOTP token
+   */
+  _generateTOTP(secret, time) {
+    // Simplified TOTP generation
+    const hmac = crypto.createHmac('sha1', Buffer.from(secret, 'hex'));
+    hmac.update(Buffer.from([0, 0, 0, 0, 0, 0, 0, time]));
+    const hash = hmac.digest();
+    
+    const offset = hash[hash.length - 1] & 0xf;
+    const code = ((hash[offset] & 0x7f) << 24) |
+                 ((hash[offset + 1] & 0xff) << 16) |
+                 ((hash[offset + 2] & 0xff) << 8) |
+                 (hash[offset + 3] & 0xff);
+    
+    return String(code % 1000000).padStart(6, '0');
+  }
+
+  /**
+   * Check if identifier is rate limited
+   */
+  _isRateLimited(identifier) {
+    const now = Date.now();
+    const attemptData = this.attempts.get(identifier);
+
+    if (!attemptData) {
+      return false;
+    }
+
+    // Remove old attempts outside the window
+    attemptData.timestamps = attemptData.timestamps.filter(
+      ts => now - ts < this.rateLimitWindow
+    );
+
+    if (attemptData.timestamps.length >= this.maxAttemptsPerWindow) {
+      return true;
+    }
+
+    return false;
+  }
+
+  /**
+   * Check if identifier is locked out
+   */
+  _isLockedOut(identifier) {
+    const lockoutTime = this.lockouts.get(identifier);
+    if (!lockoutTime) {
+      return false;
+    }
+
+    const now = Date.now();
+    if (now - lockoutTime > this.lockoutDuration) {
+      this.lockouts.delete(identifier);
+      return false;
+    }
+
+    return true;
+  }
+
+  /**
+   * Record authentication attempt
+   */
+  _recordAttempt(identifier, success) {
+    const now = Date.now();
+    
+    if (!this.attempts.has(identifier)) {
+      this.attempts.set(identifier, {
+        total: 0,
+        failed: 0,
+        timestamps: []
+      });
+    }
+
+    const attemptData = this.attempts.get(identifier);
+    attemptData.total++;
+    attemptData.timestamps.push(now);
+
+    if (!success) {
+      attemptData.failed++;
+
+      // Check if should lock out
+      if (attemptData.failed >= this.maxAttempts) {
+        this.lockouts.set(identifier, now);
+        this.emit('lockout', identifier);
+      }
+    } else {
+      // Reset on successful authentication
+      attemptData.failed = 0;
+    }
+  }
+
+  /**
+   * Register user with password
+   */
+  registerPassword(username, password) {
+    if (this.method !== AUTH_METHODS.PASSWORD) {
+      throw new Error('Authentication method is not password');
+    }
+
+    const { hash, salt } = this._hashPassword(password);
+    
+    this.credentials.set(username, {
+      method: AUTH_METHODS.PASSWORD,
+      hash,
+      salt,
+      createdAt: Date.now()
+    });
+
+    return true;
+  }
+
+  /**
+   * Register user with token
+   */
+  registerToken(identifier, token) {
+    if (this.method !== AUTH_METHODS.TOKEN) {
+      throw new Error('Authentication method is not token');
+    }
+
+    token = token || this._generateToken();
+
+    this.credentials.set(identifier, {
+      method: AUTH_METHODS.TOKEN,
+      token,
+      createdAt: Date.now(),
+      expiresAt: Date.now() + this.tokenRotationInterval
+    });
+
+    return token;
+  }
+
+  /**
+   * Register user with certificate
+   */
+  registerCertificate(identifier, certificate, options = {}) {
+    if (this.method !== AUTH_METHODS.CERTIFICATE) {
+      throw new Error('Authentication method is not certificate');
+    }
+
+    this.credentials.set(identifier, {
+      method: AUTH_METHODS.CERTIFICATE,
+      certificate,
+      twoFactorSecret: options.twoFactorSecret || null,
+      createdAt: Date.now()
+    });
+
+    return true;
+  }
+
+  /**
+   * Authenticate with password
+   */
+  authenticatePassword(username, password) {
+    if (this._isLockedOut(username)) {
+      return { success: false, state: AUTH_STATES.LOCKED, reason: 'Account locked' };
+    }
+
+    if (this._isRateLimited(username)) {
+      return { success: false, state: AUTH_STATES.FAILED, reason: 'Rate limit exceeded' };
+    }
+
+    const credential = this.credentials.get(username);
+    
+    if (!credential || credential.method !== AUTH_METHODS.PASSWORD) {
+      this._recordAttempt(username, false);
+      return { success: false, state: AUTH_STATES.FAILED, reason: 'Invalid credentials' };
+    }
+
+    const isValid = this._verifyPassword(password, credential.hash, credential.salt);
+    this._recordAttempt(username, isValid);
+
+    if (!isValid) {
+      return { success: false, state: AUTH_STATES.FAILED, reason: 'Invalid credentials' };
+    }
+
+    // Create session
+    const sessionId = this._generateToken();
+    this.sessions.set(sessionId, {
+      identifier: username,
+      createdAt: Date.now(),
+      expiresAt: Date.now() + this.sessionTimeout
+    });
+
+    this.emit('authenticated', username, sessionId);
+
+    return {
+      success: true,
+      state: AUTH_STATES.AUTHENTICATED,
+      sessionId,
+      expiresAt: Date.now() + this.sessionTimeout
+    };
+  }
+
+  /**
+   * Authenticate with token
+   */
+  authenticateToken(identifier, token) {
+    if (this._isLockedOut(identifier)) {
+      return { success: false, state: AUTH_STATES.LOCKED, reason: 'Account locked' };
+    }
+
+    if (this._isRateLimited(identifier)) {
+      return { success: false, state: AUTH_STATES.FAILED, reason: 'Rate limit exceeded' };
+    }
+
+    const credential = this.credentials.get(identifier);
+    
+    if (!credential || credential.method !== AUTH_METHODS.TOKEN) {
+      this._recordAttempt(identifier, false);
+      return { success: false, state: AUTH_STATES.FAILED, reason: 'Invalid token' };
+    }
+
+    // Check token expiration
+    if (credential.expiresAt && Date.now() > credential.expiresAt) {
+      return { success: false, state: AUTH_STATES.FAILED, reason: 'Token expired' };
+    }
+
+    // Constant-time comparison
+    const isValid = crypto.timingSafeEqual(
+      Buffer.from(token),
+      Buffer.from(credential.token)
+    );
+    
+    this._recordAttempt(identifier, isValid);
+
+    if (!isValid) {
+      return { success: false, state: AUTH_STATES.FAILED, reason: 'Invalid token' };
+    }
+
+    // Create session
+    const sessionId = this._generateToken();
+    this.sessions.set(sessionId, {
+      identifier,
+      createdAt: Date.now(),
+      expiresAt: Date.now() + this.sessionTimeout
+    });
+
+    this.emit('authenticated', identifier, sessionId);
+
+    return {
+      success: true,
+      state: AUTH_STATES.AUTHENTICATED,
+      sessionId,
+      expiresAt: Date.now() + this.sessionTimeout
+    };
+  }
+
+  /**
+   * Authenticate with certificate
+   */
+  authenticateCertificate(identifier, certificate, totpToken = null) {
+    if (this._isLockedOut(identifier)) {
+      return { success: false, state: AUTH_STATES.LOCKED, reason: 'Account locked' };
+    }
+
+    const credential = this.credentials.get(identifier);
+    
+    if (!credential || credential.method !== AUTH_METHODS.CERTIFICATE) {
+      this._recordAttempt(identifier, false);
+      return { success: false, state: AUTH_STATES.FAILED, reason: 'Invalid certificate' };
+    }
+
+    // In production, perform proper certificate validation
+    const isValid = certificate === credential.certificate;
+    
+    if (!isValid) {
+      this._recordAttempt(identifier, false);
+      return { success: false, state: AUTH_STATES.FAILED, reason: 'Invalid certificate' };
+    }
+
+    // Check 2FA if enabled
+    if (credential.twoFactorSecret) {
+      if (!totpToken || !this._verifyTOTP(totpToken, credential.twoFactorSecret)) {
+        this._recordAttempt(identifier, false);
+        return { success: false, state: AUTH_STATES.FAILED, reason: '2FA verification failed' };
+      }
+    }
+
+    this._recordAttempt(identifier, true);
+
+    // Create session
+    const sessionId = this._generateToken();
+    this.sessions.set(sessionId, {
+      identifier,
+      createdAt: Date.now(),
+      expiresAt: Date.now() + this.sessionTimeout
+    });
+
+    this.emit('authenticated', identifier, sessionId);
+
+    return {
+      success: true,
+      state: AUTH_STATES.AUTHENTICATED,
+      sessionId,
+      expiresAt: Date.now() + this.sessionTimeout
+    };
+  }
+
+  /**
+   * Validate session
+   */
+  validateSession(sessionId) {
+    const session = this.sessions.get(sessionId);
+    
+    if (!session) {
+      return { valid: false, reason: 'Invalid session' };
+    }
+
+    if (Date.now() > session.expiresAt) {
+      this.sessions.delete(sessionId);
+      return { valid: false, reason: 'Session expired' };
+    }
+
+    return {
+      valid: true,
+      identifier: session.identifier,
+      expiresAt: session.expiresAt
+    };
+  }
+
+  /**
+   * Revoke session
+   */
+  revokeSession(sessionId) {
+    return this.sessions.delete(sessionId);
+  }
+
+  /**
+   * Cleanup expired sessions
+   */
+  cleanupSessions() {
+    const now = Date.now();
+    let cleaned = 0;
+
+    for (const [sessionId, session] of this.sessions.entries()) {
+      if (now > session.expiresAt) {
+        this.sessions.delete(sessionId);
+        cleaned++;
+      }
+    }
+
+    return cleaned;
+  }
+}
+
+module.exports = Authentication;
+module.exports.AUTH_METHODS = AUTH_METHODS;
+module.exports.AUTH_STATES = AUTH_STATES;