@ratim818/allyve-wellness-backend 1.0.0

package/src/services/auth.ts

@@ -0,0 +1,293 @@
+import bcrypt from "bcryptjs";
+import jwt from "jsonwebtoken";
+import { v4 as uuidv4 } from "uuid";
+import { db } from "../config/database.js";
+import { config } from "../config/index.js";
+import { encrypt, decrypt } from "./encryption.js";
+import { writeAuditLog } from "./audit.js";
+import { logger } from "../utils/logger.js";
+
+// ─── HIPAA AUTH REQUIREMENTS ────────────────────────────────
+// §164.312(a)(1) — Unique user identification
+// §164.312(a)(2)(i) — Unique user ID for tracking
+// §164.312(d) — Person or entity authentication
+// §164.312(a)(2)(iii) — Automatic logoff (handled by session middleware)
+// ─────────────────────────────────────────────────────────────
+
+const BCRYPT_ROUNDS = 12; // NIST recommends ≥10 for sensitive systems
+const MAX_LOGIN_ATTEMPTS = 5;
+const LOCKOUT_DURATION_MS = 30 * 60 * 1000; // 30 minutes
+
+export interface TokenPayload {
+  userId: string;
+  email: string;
+  role: string;
+  sessionId: string;
+}
+
+export interface AuthTokens {
+  accessToken: string;
+  refreshToken: string;
+  expiresIn: string;
+}
+
+/**
+ * Register a new user with encrypted PII and hashed password.
+ */
+export async function registerUser(data: {
+  email: string;
+  password: string;
+  fullName: string;
+  dateOfBirth: string;
+  phone?: string;
+}): Promise<{ userId: string }> {
+  // Check if email already exists (using HMAC hash for lookup without decrypting all emails)
+  const { hmacHash } = await import("./encryption.js");
+  const emailHash = hmacHash(data.email.toLowerCase());
+
+  const existing = await db("users").where("email_hash", emailHash).first();
+  if (existing) {
+    throw new Error("An account with this email already exists");
+  }
+
+  const userId = uuidv4();
+  const passwordHash = await bcrypt.hash(data.password, BCRYPT_ROUNDS);
+
+  // Encrypt all PII/PHI at rest
+  await db("users").insert({
+    id: userId,
+    email_encrypted: encrypt(data.email.toLowerCase()),
+    email_hash: emailHash, // For lookups without decrypting every row
+    password_hash: passwordHash,
+    full_name_encrypted: encrypt(data.fullName),
+    date_of_birth_encrypted: encrypt(data.dateOfBirth),
+    phone_encrypted: data.phone ? encrypt(data.phone) : null,
+    role: "patient",
+    is_active: true,
+    login_attempts: 0,
+    created_at: new Date(),
+    updated_at: new Date(),
+  });
+
+  await writeAuditLog({
+    user_id: userId,
+    action: "CREATE",
+    resource_type: "user",
+    resource_id: userId,
+    outcome: "success",
+  });
+
+  logger.info(`User registered: ${userId}`);
+  return { userId };
+}
+
+/**
+ * Authenticate a user and return JWT tokens.
+ */
+export async function loginUser(
+  email: string,
+  password: string,
+  ipAddress?: string,
+  userAgent?: string
+): Promise<AuthTokens> {
+  const { hmacHash } = await import("./encryption.js");
+  const emailHash = hmacHash(email.toLowerCase());
+
+  const user = await db("users").where("email_hash", emailHash).first();
+
+  if (!user) {
+    await writeAuditLog({
+      user_id: null,
+      action: "LOGIN_FAILED",
+      resource_type: "session",
+      details: { reason: "user_not_found" },
+      ip_address: ipAddress,
+      user_agent: userAgent,
+      outcome: "failure",
+    });
+    throw new Error("Invalid email or password");
+  }
+
+  // Check account lockout
+  if (user.locked_until && new Date(user.locked_until) > new Date()) {
+    await writeAuditLog({
+      user_id: user.id,
+      action: "LOGIN_FAILED",
+      resource_type: "session",
+      details: { reason: "account_locked" },
+      ip_address: ipAddress,
+      user_agent: userAgent,
+      outcome: "denied",
+    });
+    throw new Error("Account is temporarily locked. Please try again later.");
+  }
+
+  // Verify password
+  const isValid = await bcrypt.compare(password, user.password_hash);
+  if (!isValid) {
+    const attempts = (user.login_attempts || 0) + 1;
+    const updates: Record<string, unknown> = {
+      login_attempts: attempts,
+      updated_at: new Date(),
+    };
+
+    // Lock after MAX_LOGIN_ATTEMPTS
+    if (attempts >= MAX_LOGIN_ATTEMPTS) {
+      updates.locked_until = new Date(Date.now() + LOCKOUT_DURATION_MS);
+      logger.warn(`Account locked for user ${user.id} after ${attempts} failed attempts`);
+    }
+
+    await db("users").where("id", user.id).update(updates);
+
+    await writeAuditLog({
+      user_id: user.id,
+      action: "LOGIN_FAILED",
+      resource_type: "session",
+      details: { reason: "invalid_password", attempt: attempts },
+      ip_address: ipAddress,
+      user_agent: userAgent,
+      outcome: "failure",
+    });
+
+    throw new Error("Invalid email or password");
+  }
+
+  // Reset login attempts on success
+  await db("users").where("id", user.id).update({
+    login_attempts: 0,
+    locked_until: null,
+    last_login: new Date(),
+    updated_at: new Date(),
+  });
+
+  // Create session
+  const sessionId = uuidv4();
+  await db("sessions").insert({
+    id: sessionId,
+    user_id: user.id,
+    ip_address: ipAddress,
+    user_agent: userAgent,
+    expires_at: new Date(Date.now() + config.session.maxAge),
+    created_at: new Date(),
+  });
+
+  // Generate tokens
+  const payload: TokenPayload = {
+    userId: user.id,
+    email: email.toLowerCase(),
+    role: user.role,
+    sessionId,
+  };
+
+  const accessToken = jwt.sign(payload, config.jwt.secret, {
+    expiresIn: config.jwt.expiresIn,
+    issuer: "allyve-wellness",
+    audience: "allyve-frontend",
+  } as jwt.SignOptions);
+
+  const refreshToken = jwt.sign(
+    { userId: user.id, sessionId, type: "refresh" },
+    config.jwt.secret,
+    { expiresIn: config.jwt.refreshExpiresIn } as jwt.SignOptions
+  );
+
+  // Store refresh token hash
+  const refreshHash = (await import("./encryption.js")).hmacHash(refreshToken);
+  await db("refresh_tokens").insert({
+    id: uuidv4(),
+    user_id: user.id,
+    session_id: sessionId,
+    token_hash: refreshHash,
+    expires_at: new Date(Date.now() + 7 * 24 * 60 * 60 * 1000),
+    created_at: new Date(),
+  });
+
+  await writeAuditLog({
+    user_id: user.id,
+    action: "LOGIN",
+    resource_type: "session",
+    resource_id: sessionId,
+    ip_address: ipAddress,
+    user_agent: userAgent,
+    outcome: "success",
+  });
+
+  return {
+    accessToken,
+    refreshToken,
+    expiresIn: config.jwt.expiresIn,
+  };
+}
+
+/**
+ * Refresh an access token using a valid refresh token.
+ */
+export async function refreshAccessToken(refreshToken: string): Promise<AuthTokens> {
+  const { hmacHash } = await import("./encryption.js");
+
+  // Verify the JWT
+  let decoded: jwt.JwtPayload;
+  try {
+    decoded = jwt.verify(refreshToken, config.jwt.secret) as jwt.JwtPayload;
+  } catch {
+    throw new Error("Invalid refresh token");
+  }
+
+  if (decoded.type !== "refresh") throw new Error("Invalid token type");
+
+  // Check token exists in DB and isn't revoked
+  const tokenHash = hmacHash(refreshToken);
+  const storedToken = await db("refresh_tokens")
+    .where("token_hash", tokenHash)
+    .where("revoked", false)
+    .first();
+
+  if (!storedToken || new Date(storedToken.expires_at) < new Date()) {
+    throw new Error("Refresh token expired or revoked");
+  }
+
+  // Get user
+  const user = await db("users").where("id", decoded.userId).first();
+  if (!user || !user.is_active) throw new Error("User not found or inactive");
+
+  // Generate new access token
+  const payload: TokenPayload = {
+    userId: user.id,
+    email: decrypt(user.email_encrypted),
+    role: user.role,
+    sessionId: decoded.sessionId as string,
+  };
+
+  const newAccessToken = jwt.sign(payload, config.jwt.secret, {
+    expiresIn: config.jwt.expiresIn,
+    issuer: "allyve-wellness",
+    audience: "allyve-frontend",
+  } as jwt.SignOptions);
+
+  return {
+    accessToken: newAccessToken,
+    refreshToken, // Reuse existing refresh token
+    expiresIn: config.jwt.expiresIn,
+  };
+}
+
+/**
+ * Logout — revoke session and refresh tokens.
+ */
+export async function logoutUser(
+  userId: string,
+  sessionId: string,
+  ipAddress?: string
+): Promise<void> {
+  await db("sessions").where("id", sessionId).update({ revoked: true });
+  await db("refresh_tokens").where("session_id", sessionId).update({ revoked: true });
+
+  await writeAuditLog({
+    user_id: userId,
+    action: "LOGOUT",
+    resource_type: "session",
+    resource_id: sessionId,
+    ip_address: ipAddress,
+    outcome: "success",
+  });
+}

package/src/services/encryption.ts

@@ -0,0 +1,76 @@
+import crypto from "crypto";
+import { config } from "../config/index.js";
+
+// ─── AES-256-GCM ENCRYPTION FOR PHI AT REST ────────────────
+// HIPAA §164.312(a)(2)(iv) — Encryption and decryption
+// Uses AES-256-GCM which provides both confidentiality AND integrity
+// Each field is encrypted with a unique IV (initialization vector)
+// ─────────────────────────────────────────────────────────────
+
+const ALGORITHM = "aes-256-gcm";
+const KEY = Buffer.from(config.encryption.key, "hex");
+const IV_LENGTH = config.encryption.ivLength;
+const AUTH_TAG_LENGTH = 16;
+
+if (KEY.length !== 32) {
+  throw new Error("ENCRYPTION_KEY must be 32 bytes (64 hex chars). Generate with: openssl rand -hex 32");
+}
+
+/**
+ * Encrypt a plaintext string. Returns: iv:authTag:ciphertext (all hex-encoded)
+ * Each encryption uses a random IV, so identical inputs produce different outputs.
+ */
+export function encrypt(plaintext: string): string {
+  const iv = crypto.randomBytes(IV_LENGTH);
+  const cipher = crypto.createCipheriv(ALGORITHM, KEY, iv, { authTagLength: AUTH_TAG_LENGTH });
+
+  let encrypted = cipher.update(plaintext, "utf8", "hex");
+  encrypted += cipher.final("hex");
+  const authTag = cipher.getAuthTag().toString("hex");
+
+  return `${iv.toString("hex")}:${authTag}:${encrypted}`;
+}
+
+/**
+ * Decrypt a string produced by encrypt(). Verifies integrity via GCM auth tag.
+ */
+export function decrypt(encryptedData: string): string {
+  const parts = encryptedData.split(":");
+  if (parts.length !== 3) {
+    throw new Error("Invalid encrypted data format");
+  }
+
+  const [ivHex, authTagHex, ciphertextHex] = parts;
+  const iv = Buffer.from(ivHex, "hex");
+  const authTag = Buffer.from(authTagHex, "hex");
+
+  const decipher = crypto.createDecipheriv(ALGORITHM, KEY, iv, { authTagLength: AUTH_TAG_LENGTH });
+  decipher.setAuthTag(authTag);
+
+  let decrypted = decipher.update(ciphertextHex, "hex", "utf8");
+  decrypted += decipher.final("utf8");
+
+  return decrypted;
+}
+
+/**
+ * Encrypt a JSON-serializable object. Used for structured PHI like health metrics.
+ */
+export function encryptJSON(data: unknown): string {
+  return encrypt(JSON.stringify(data));
+}
+
+/**
+ * Decrypt and parse a JSON object.
+ */
+export function decryptJSON<T = unknown>(encryptedData: string): T {
+  return JSON.parse(decrypt(encryptedData)) as T;
+}
+
+/**
+ * Hash data one-way (for indexing encrypted fields without revealing values).
+ * Uses HMAC-SHA256 so the hash is deterministic but requires the key to reproduce.
+ */
+export function hmacHash(data: string): string {
+  return crypto.createHmac("sha256", KEY).update(data).digest("hex");
+}

package/src/utils/logger.ts

@@ -0,0 +1,57 @@
+import winston from "winston";
+
+// ─── HIPAA LOGGING RULES ────────────────────────────────────
+// 1. NEVER log PHI (Protected Health Information)
+// 2. NEVER log passwords, tokens, or encryption keys
+// 3. DO log: timestamps, user IDs, action types, resource types
+// 4. Retain audit logs for 6 years minimum (HIPAA §164.530(j))
+// 5. All log files must be on encrypted storage
+// ─────────────────────────────────────────────────────────────
+
+const logFormat = winston.format.combine(
+  winston.format.timestamp({ format: "YYYY-MM-DD HH:mm:ss.SSS" }),
+  winston.format.errors({ stack: true }),
+  winston.format.printf(({ timestamp, level, message, ...meta }) => {
+    const metaStr = Object.keys(meta).length ? ` ${JSON.stringify(meta)}` : "";
+    return `[${timestamp}] ${level.toUpperCase()}: ${message}${metaStr}`;
+  })
+);
+
+export const logger = winston.createLogger({
+  level: process.env.AUDIT_LOG_LEVEL || "info",
+  format: logFormat,
+  defaultMeta: { service: "allyve-backend" },
+  transports: [
+    // Console output (development)
+    new winston.transports.Console({
+      format: winston.format.combine(winston.format.colorize(), logFormat),
+    }),
+
+    // Application logs — rotated, no PHI
+    new winston.transports.File({
+      filename: "logs/app.log",
+      maxsize: 10 * 1024 * 1024, // 10MB
+      maxFiles: 30,
+    }),
+
+    // Error logs — separate file for alerts
+    new winston.transports.File({
+      filename: "logs/error.log",
+      level: "error",
+      maxsize: 10 * 1024 * 1024,
+      maxFiles: 90,
+    }),
+
+    // HIPAA Audit trail — separate, long-retention
+    new winston.transports.File({
+      filename: "logs/audit.log",
+      level: "info",
+      maxsize: 50 * 1024 * 1024,
+      maxFiles: 365, // Keep 1 year of files on disk; archive older to S3/GCS
+    }),
+  ],
+});
+
+// Ensure log directory exists
+import { mkdirSync } from "fs";
+try { mkdirSync("logs", { recursive: true }); } catch { /* exists */ }

package/tsconfig.json

@@ -0,0 +1,24 @@
+{
+  "compilerOptions": {
+    "target": "ES2022",
+    "module": "ESNext",
+    "moduleResolution": "bundler",
+    "lib": ["ES2022"],
+    "outDir": "./dist",
+    "rootDir": "./src",
+    "strict": true,
+    "esModuleInterop": true,
+    "skipLibCheck": true,
+    "forceConsistentCasingInFileNames": true,
+    "resolveJsonModule": true,
+    "declaration": true,
+    "declarationMap": true,
+    "sourceMap": true,
+    "baseUrl": ".",
+    "paths": {
+      "@/*": ["src/*"]
+    }
+  },
+  "include": ["src/**/*"],
+  "exclude": ["node_modules", "dist"]
+}