cipher-shield 1.0.0

package/index.js

@@ -0,0 +1,75 @@
+/**
+ * cipher-shield v2.1 - Production Security Middleware
+ *
+ * A comprehensive, multi-layered security middleware for Node.js/Express applications.
+ * Provides AES encryption, ghost route protection, shadow banning, AI-powered
+ * threat detection, adaptive DEFCON escalation, and automated SSL certificate management.
+ *
+ * @module cipher-shield
+ * @version 1.0.0
+ * @author cipher-shield Team
+ * @license MIT
+ *
+ * @example
+ * ```javascript
+ * const express = require('express');
+ * const cipherShield = require('cipher-shield');
+ *
+ * const app = express();
+ * app.use(express.json());
+ *
+ * // Apply security middleware
+ * app.use(cipherShield({
+ *   encryption: {
+ *     enabled: true,
+ *     algorithm: 'aes-256-gcm',
+ *     secretKey: 'your-32-character-secret-key-here!!!'
+ *   },
+ *   ghostRoutes: ['/admin', '/.env', '/.git'],
+ *   shadowBan: { enabled: true, delayTime: 5000 },
+ *   aiGate: {
+ *     enabled: true,
+ *     provider: 'gemini',
+ *     gemini: { apiKey: process.env.GEMINI_API_KEY }
+ *   }
+ * }));
+ *
+ * // Enable SSL (new feature)
+ * const shield = new cipherShield.CipherShield({
+ *   // config
+ * });
+ * await shield.enableSSL({
+ *   email: 'admin@example.com',
+ *   domains: ['example.com'],
+ *   staging: true
+ * });
+ *
+ * // Your routes are now protected
+ * app.get('/api/data', (req, res) => res.json({ secure: true }));
+ * ```
+ *
+ * @see {@link https://github.com/your-repo/cipher-shield|GitHub Repository}
+ * @see {@link https://cipher-shield.dev|Documentation}
+ */
+
+// Import the CipherShield class
+const CipherShield = require('./src/shield');
+const SmartLogger = require('./src/smartLogger');
+const MagicAuth = require('./src/magicAuth');
+const { encrypt, decrypt, generateKey } = require('./src/core/aesEngine');
+
+// Backward compatibility: when called as a function, create instance and return middleware
+function cipherShieldFactory(config) {
+  const instance = new CipherShield(config);
+  return instance.middleware();
+}
+
+// Export both the factory function (for backward compatibility) and the class
+cipherShieldFactory.CipherShield = CipherShield;
+cipherShieldFactory.SmartLogger = SmartLogger;
+cipherShieldFactory.MagicAuth = MagicAuth;
+cipherShieldFactory.encrypt = encrypt;
+cipherShieldFactory.decrypt = decrypt;
+cipherShieldFactory.generateKey = generateKey;
+
+module.exports = cipherShieldFactory;

package/package.json

@@ -0,0 +1,57 @@
+{
+  "name": "cipher-shield",
+  "version": "1.0.0",
+  "description": "Advanced active defense middleware for Node.js/Express with AES encryption, honeypot detection, AI threat analysis, and adaptive security. Features 9 AES algorithms, ghost routes, shadow ban, and DEFCON system.",
+  "main": "index.js",
+  "files": [
+    "src",
+    "index.js"
+  ],
+  "keywords": [
+    "security",
+    "middleware",
+    "express",
+    "honeypot",
+    "active-defense",
+    "aes",
+    "aes-gcm",
+    "aes-cbc",
+    "aes-ctr",
+    "ai-security",
+    "openai",
+    "gemini"
+  ],
+  "author": "Omindu Dissanayaka",
+  "license": "MIT",
+  "dependencies": {
+    "@google/generative-ai": "^0.24.1",
+    "acme-client": "^5.4.0",
+    "express": "^5.2.1",
+    "express-rate-limit": "^8.2.1",
+    "helmet": "^8.1.0",
+    "jsonwebtoken": "^9.0.3",
+    "node-forge": "^1.3.3",
+    "on-headers": "^1.1.0",
+    "openai": "^6.16.0"
+  },
+  "optionalDependencies": {
+    "dotenv": "^17.2.3"
+  },
+  "engines": {
+    "node": ">=14.0.0"
+  },
+  "directories": {
+    "example": "examples"
+  },
+  "scripts": {
+    "test": "node testing/test-suite.js"
+  },
+  "repository": {
+    "type": "git",
+    "url": "git+https://github.com/OminduDissanayaka/cipher-shield.git"
+  },
+  "bugs": {
+    "url": "https://github.com/OminduDissanayaka/cipher-shield/issues"
+  },
+  "homepage": "https://github.com/OminduDissanayaka/cipher-shield#readme"
+}

package/src/core/aesEngine.js

@@ -0,0 +1,369 @@
+/**
+ * Advanced AES Encryption/Decryption Engine v2.1
+ *
+ * High-performance AES encryption engine supporting multiple modes:
+ * - AES-256-GCM (recommended for authenticated encryption)
+ * - AES-256-CBC, AES-192-GCM/CBC/CTR, AES-128-GCM/CBC/CTR
+ *
+ * Features:
+ * - Authenticated encryption with GCM mode
+ * - Secure random IV generation
+ * - Comprehensive error handling
+ * - Performance optimized for high-throughput scenarios
+ *
+ * @module aesEngine
+ * @version 1.0.0
+ * @author Omindu Dissanayaka
+ * @license MIT
+ */
+
+const crypto = require('crypto');
+
+/**
+ * AES algorithm configurations with security parameters
+ * Each algorithm defines key length, IV length, and authentication properties
+ *
+ * @constant {Object.<string, Object>}
+ * @readonly
+ */
+const ALGORITHMS = Object.freeze({
+  'aes-256-cbc': Object.freeze({
+    name: 'aes-256-cbc',
+    keyLength: 32,
+    ivLength: 16,
+    authTag: false
+  }),
+  'aes-256-gcm': Object.freeze({
+    name: 'aes-256-gcm',
+    keyLength: 32,
+    ivLength: 12,
+    authTag: true,
+    authTagLength: 16
+  }),
+  'aes-256-ctr': Object.freeze({
+    name: 'aes-256-ctr',
+    keyLength: 32,
+    ivLength: 16,
+    authTag: false
+  }),
+  'aes-192-cbc': Object.freeze({
+    name: 'aes-192-cbc',
+    keyLength: 24,
+    ivLength: 16,
+    authTag: false
+  }),
+  'aes-192-gcm': Object.freeze({
+    name: 'aes-192-gcm',
+    keyLength: 24,
+    ivLength: 12,
+    authTag: true,
+    authTagLength: 16
+  }),
+  'aes-192-ctr': Object.freeze({
+    name: 'aes-192-ctr',
+    keyLength: 24,
+    ivLength: 16,
+    authTag: false
+  }),
+  'aes-128-cbc': Object.freeze({
+    name: 'aes-128-cbc',
+    keyLength: 16,
+    ivLength: 16,
+    authTag: false
+  }),
+  'aes-128-gcm': Object.freeze({
+    name: 'aes-128-gcm',
+    keyLength: 16,
+    ivLength: 12,
+    authTag: true,
+    authTagLength: 16
+  }),
+  'aes-128-ctr': Object.freeze({
+    name: 'aes-128-ctr',
+    keyLength: 16,
+    ivLength: 16,
+    authTag: false
+  })
+});
+
+/**
+ * Cached algorithm configurations for performance
+ * Avoids repeated object lookups during encryption/decryption
+ *
+ * @private
+ * @type {Map<string, Object>}
+ */
+const algorithmCache = new Map();
+
+/**
+ * Retrieves and caches algorithm configuration for performance
+ *
+ * @private
+ * @param {string} algorithm - AES algorithm name
+ * @returns {Object} Algorithm configuration object
+ * @throws {Error} If algorithm is not supported
+ */
+function getAlgorithmConfig(algorithm) {
+  if (algorithmCache.has(algorithm)) {
+    return algorithmCache.get(algorithm);
+  }
+
+  const config = ALGORITHMS[algorithm];
+  if (!config) {
+    const supported = Object.keys(ALGORITHMS).join(', ');
+    throw new Error(`Unsupported AES algorithm: ${algorithm}. Supported: ${supported}`);
+  }
+
+  algorithmCache.set(algorithm, config);
+  return config;
+}
+
+/**
+ * Validates secret key length and format for security
+ *
+ * @private
+ * @param {string} secretKey - The encryption/decryption key
+ * @param {number} requiredLength - Required key length in bytes
+ * @param {string} algorithm - Algorithm name for error messages
+ * @throws {Error} If key is invalid
+ */
+function validateKeyLength(secretKey, requiredLength, algorithm) {
+  if (!secretKey) {
+    throw new Error(`Secret key is required for ${algorithm}`);
+  }
+
+  if (typeof secretKey !== 'string') {
+    throw new Error(`Secret key must be a string for ${algorithm}`);
+  }
+
+  const expectedLength = requiredLength * 2;
+  if (secretKey.length !== expectedLength) {
+    throw new Error(`${algorithm} requires a ${expectedLength}-character hex-encoded secret key (got ${secretKey.length})`);
+  }
+
+  if (!/^[0-9a-fA-F]+$/.test(secretKey)) {
+    throw new Error(`Secret key must be valid hexadecimal for ${algorithm}`);
+  }
+}
+
+/**
+ * Validates encrypted data format before decryption
+ *
+ * @private
+ * @param {string} encryptedData - The encrypted data string
+ * @param {boolean} expectsAuthTag - Whether auth tag is expected
+ * @param {string} algorithm - Algorithm name for error messages
+ * @returns {Object} Parsed encryption components
+ * @throws {Error} If format is invalid
+ */
+function parseEncryptedData(encryptedData, expectsAuthTag, algorithm) {
+  if (!encryptedData || typeof encryptedData !== 'string') {
+    throw new Error('Encrypted data must be a non-empty string');
+  }
+
+  const parts = encryptedData.split(':');
+  const expectedParts = expectsAuthTag ? 4 : 3;
+
+  if (parts.length !== expectedParts) {
+    const format = expectsAuthTag ? 'algorithm:iv:authTag:encryptedData' : 'algorithm:iv:encryptedData';
+    throw new Error(`Invalid ${algorithm} encrypted data format. Expected: ${format}`);
+  }
+
+  const parsedAlgorithm = parts[0];
+  if (parsedAlgorithm !== algorithm) {
+    throw new Error(`Algorithm mismatch: expected ${algorithm}, got ${parsedAlgorithm}`);
+  }
+
+  return {
+    algorithm: parsedAlgorithm,
+    ivHex: parts[1],
+    authTagHex: expectsAuthTag ? parts[2] : null,
+    encryptedHex: expectsAuthTag ? parts[3] : parts[2]
+  };
+}
+
+/**
+ * Encrypts plaintext using specified AES algorithm with authenticated encryption
+ *
+ * Supports multiple AES modes with automatic IV generation and authentication tags
+ * for GCM mode. Uses cryptographically secure random IVs.
+ *
+ * @param {string} plaintext - The text to encrypt
+ * @param {string} secretKey - The encryption key (length must match algorithm requirements)
+ * @param {string} [algorithm='aes-256-gcm'] - AES algorithm to use
+ * @returns {string} Encrypted data in format: algorithm:iv[:authTag]:encryptedData
+ *
+ * @throws {Error} If parameters are invalid or encryption fails
+ *
+ * @example
+ * ```javascript
+ * const encrypted = aesEngine.encrypt('Hello World', 'my-32-char-secret-key!!!', 'aes-256-gcm');
+ * // Returns: aes-256-gcm:a1b2c3...:d4e5f6...:encrypted-data
+ * ```
+ */
+function encrypt(plaintext, secretKey, algorithm = 'aes-256-gcm') {
+  if (!plaintext || typeof plaintext !== 'string') {
+    throw new Error('Plaintext must be a non-empty string');
+  }
+
+  const config = getAlgorithmConfig(algorithm);
+  validateKeyLength(secretKey, config.keyLength, algorithm);
+
+  try {
+    const iv = crypto.randomBytes(config.ivLength);
+    const cipher = crypto.createCipheriv(config.name, Buffer.from(secretKey, 'hex'), iv);
+
+    let encrypted = cipher.update(plaintext, 'utf8', 'hex');
+    encrypted += cipher.final('hex');
+
+    if (config.authTag) {
+      const authTag = cipher.getAuthTag();
+      return `${algorithm}:${iv.toString('hex')}:${authTag.toString('hex')}:${encrypted}`;
+    }
+
+    return `${algorithm}:${iv.toString('hex')}:${encrypted}`;
+
+  } catch (error) {
+    throw new Error(`AES encryption failed for ${algorithm}: ${error.message}`);
+  }
+}
+
+/**
+ * Decrypts AES encrypted data with integrity verification
+ *
+ * Automatically detects encryption format and validates integrity for authenticated modes.
+ * Provides comprehensive error handling for corrupted or tampered data.
+ *
+ * @param {string} encryptedData - The encrypted data string
+ * @param {string} secretKey - The decryption key
+ * @param {string} [algorithm] - Optional algorithm override (auto-detected from data)
+ * @returns {string} The decrypted plaintext
+ *
+ * @throws {Error} If decryption fails, data is corrupted, or authentication fails
+ *
+ * @example
+ * ```javascript
+ * const decrypted = aesEngine.decrypt(encryptedString, 'my-32-char-secret-key!!!');
+ * console.log(decrypted); // 'Hello World'
+ * ```
+ */
+function decrypt(encryptedData, secretKey, algorithm) {
+  try {
+    const parts = encryptedData.split(':');
+
+    const detectedAlgorithm = algorithm || parts[0];
+    const config = getAlgorithmConfig(detectedAlgorithm);
+
+    const parsed = parseEncryptedData(encryptedData, config.authTag, detectedAlgorithm);
+    validateKeyLength(secretKey, config.keyLength, detectedAlgorithm);
+
+    const iv = Buffer.from(parsed.ivHex, 'hex');
+    const encrypted = parsed.encryptedHex;
+
+    if (iv.length !== config.ivLength) {
+      throw new Error(`Invalid IV length for ${detectedAlgorithm}: expected ${config.ivLength}, got ${iv.length}`);
+    }
+
+    const decipher = crypto.createDecipheriv(config.name, Buffer.from(secretKey, 'hex'), iv);
+
+    if (config.authTag) {
+      const authTag = Buffer.from(parsed.authTagHex, 'hex');
+      if (authTag.length !== config.authTagLength) {
+        throw new Error(`Invalid auth tag length for ${detectedAlgorithm}: expected ${config.authTagLength}, got ${authTag.length}`);
+      }
+      decipher.setAuthTag(authTag);
+    }
+
+    let decrypted = decipher.update(encrypted, 'hex', 'utf8');
+    decrypted += decipher.final('utf8');
+
+    return decrypted;
+
+  } catch (error) {
+    if (error.message.includes('Unsupported state') || error.message.includes('Tag mismatch')) {
+      throw new Error(`Authentication failed: data may be corrupted or tampered with`);
+    }
+    if (error.message.includes('Invalid key length')) {
+      throw new Error(`Key length mismatch: ensure correct key for the algorithm`);
+    }
+    throw new Error(`AES decryption failed: ${error.message}`);
+  }
+}
+
+/**
+ * Generates a cryptographically secure random secret key for the specified algorithm
+ *
+ * Uses Node.js crypto.randomBytes() for maximum security. The generated key
+ * is suitable for immediate use with the corresponding AES algorithm.
+ *
+ * @param {string} [algorithm='aes-256-gcm'] - AES algorithm for key generation
+ * @returns {string} Random secret key of correct length for the algorithm
+ *
+ * @example
+ * ```javascript
+ * const key = aesEngine.generateKey('aes-256-gcm'); // 64-character hex key
+ * const encrypted = aesEngine.encrypt('data', key, 'aes-256-gcm');
+ * ```
+ */
+function generateKey(algorithm = 'aes-256-gcm') {
+  const config = getAlgorithmConfig(algorithm);
+
+  try {
+    const keyBytes = crypto.randomBytes(config.keyLength);
+    return keyBytes.toString('hex');
+  } catch (error) {
+    throw new Error(`Key generation failed for ${algorithm}: ${error.message}`);
+  }
+}
+
+/**
+ * Returns list of all supported AES algorithms
+ *
+ * @returns {string[]} Array of supported algorithm names
+ *
+ * @example
+ * ```javascript
+ * console.log(aesEngine.getSupportedAlgorithms());
+ * // ['aes-256-cbc', 'aes-256-gcm', 'aes-256-ctr', ...]
+ * ```
+ */
+function getSupportedAlgorithms() {
+  return Object.keys(ALGORITHMS);
+}
+
+/**
+ * Retrieves detailed information about a specific AES algorithm
+ *
+ * @param {string} algorithm - AES algorithm name
+ * @returns {Object} Algorithm information object
+ * @property {string} algorithm - Algorithm name
+ * @property {number} keyLength - Required key length in characters
+ * @property {number} ivLength - IV length in bytes
+ * @property {boolean} authenticationTag - Whether algorithm uses auth tags
+ * @property {number|null} authTagLength - Auth tag length in bytes (GCM only)
+ *
+ * @example
+ * ```javascript
+ * const info = aesEngine.getAlgorithmInfo('aes-256-gcm');
+ * console.log(info.keyLength); // 32
+ * ```
+ */
+function getAlgorithmInfo(algorithm) {
+  const config = getAlgorithmConfig(algorithm);
+  return {
+    algorithm: config.name,
+    keyLength: config.keyLength * 2,
+    ivLength: config.ivLength,
+    authenticationTag: config.authTag,
+    authTagLength: config.authTag ? config.authTagLength : null
+  };
+}
+
+module.exports = {
+  encrypt,
+  decrypt,
+  generateKey,
+  getSupportedAlgorithms,
+  getAlgorithmInfo,
+  ALGORITHMS
+};