hedgequantx 1.1.1 → 1.2.31

package/src/security/index.js

@@ -0,0 +1,61 @@
+/**
+ * @fileoverview Security module exports
+ * @module security
+ */
+
+const {
+  encrypt,
+  decrypt,
+  hashPassword,
+  verifyPassword,
+  generateToken,
+  maskSensitive
+} = require('./encryption');
+
+const {
+  ValidationError,
+  validateUsername,
+  validatePassword,
+  validateApiKey,
+  validateAccountId,
+  validateQuantity,
+  validatePrice,
+  validateSymbol,
+  sanitizeString,
+  validateObject
+} = require('./validation');
+
+const {
+  RateLimiter,
+  rateLimiters,
+  getLimiter,
+  withRateLimit
+} = require('./rateLimit');
+
+module.exports = {
+  // Encryption
+  encrypt,
+  decrypt,
+  hashPassword,
+  verifyPassword,
+  generateToken,
+  maskSensitive,
+  
+  // Validation
+  ValidationError,
+  validateUsername,
+  validatePassword,
+  validateApiKey,
+  validateAccountId,
+  validateQuantity,
+  validatePrice,
+  validateSymbol,
+  sanitizeString,
+  validateObject,
+  
+  // Rate Limiting
+  RateLimiter,
+  rateLimiters,
+  getLimiter,
+  withRateLimit
+};

package/src/security/rateLimit.js

@@ -0,0 +1,155 @@
+/**
+ * @fileoverview Rate limiting utilities for API protection
+ * @module security/rateLimit
+ */
+
+/**
+ * Rate limiter class for controlling request frequency
+ */
+class RateLimiter {
+  /**
+   * Creates a new rate limiter
+   * @param {Object} options - Rate limiter options
+   * @param {number} [options.maxRequests=60] - Maximum requests per window
+   * @param {number} [options.windowMs=60000] - Time window in milliseconds
+   * @param {number} [options.minInterval=100] - Minimum interval between requests in ms
+   */
+  constructor(options = {}) {
+    this.maxRequests = options.maxRequests || 60;
+    this.windowMs = options.windowMs || 60000;
+    this.minInterval = options.minInterval || 100;
+    this.requests = [];
+    this.lastRequest = 0;
+  }
+
+  /**
+   * Cleans up old requests outside the current window
+   * @private
+   */
+  _cleanup() {
+    const now = Date.now();
+    const windowStart = now - this.windowMs;
+    this.requests = this.requests.filter(time => time > windowStart);
+  }
+
+  /**
+   * Checks if a request is allowed
+   * @returns {boolean} True if request is allowed
+   */
+  canRequest() {
+    this._cleanup();
+    const now = Date.now();
+    
+    // Check minimum interval
+    if (now - this.lastRequest < this.minInterval) {
+      return false;
+    }
+    
+    // Check max requests in window
+    return this.requests.length < this.maxRequests;
+  }
+
+  /**
+   * Records a request
+   */
+  recordRequest() {
+    const now = Date.now();
+    this.requests.push(now);
+    this.lastRequest = now;
+  }
+
+  /**
+   * Gets remaining requests in current window
+   * @returns {number} Remaining requests
+   */
+  getRemainingRequests() {
+    this._cleanup();
+    return Math.max(0, this.maxRequests - this.requests.length);
+  }
+
+  /**
+   * Gets time until rate limit resets
+   * @returns {number} Milliseconds until reset
+   */
+  getResetTime() {
+    if (this.requests.length === 0) return 0;
+    const oldestRequest = Math.min(...this.requests);
+    return Math.max(0, (oldestRequest + this.windowMs) - Date.now());
+  }
+
+  /**
+   * Waits until a request is allowed
+   * @returns {Promise<void>} Resolves when request is allowed
+   */
+  async waitForSlot() {
+    while (!this.canRequest()) {
+      const waitTime = Math.max(this.minInterval, this.getResetTime());
+      await new Promise(resolve => setTimeout(resolve, Math.min(waitTime, 1000)));
+    }
+  }
+
+  /**
+   * Executes a function with rate limiting
+   * @param {Function} fn - Function to execute
+   * @returns {Promise<any>} Result of the function
+   */
+  async execute(fn) {
+    await this.waitForSlot();
+    this.recordRequest();
+    return fn();
+  }
+
+  /**
+   * Resets the rate limiter
+   */
+  reset() {
+    this.requests = [];
+    this.lastRequest = 0;
+  }
+}
+
+/**
+ * Creates rate limiters for different API endpoints
+ */
+const rateLimiters = {
+  // General API calls - 60 per minute
+  api: new RateLimiter({ maxRequests: 60, windowMs: 60000, minInterval: 100 }),
+  
+  // Login attempts - 5 per minute (stricter for security)
+  login: new RateLimiter({ maxRequests: 5, windowMs: 60000, minInterval: 2000 }),
+  
+  // Order placement - 30 per minute
+  orders: new RateLimiter({ maxRequests: 30, windowMs: 60000, minInterval: 200 }),
+  
+  // Data fetching - 120 per minute
+  data: new RateLimiter({ maxRequests: 120, windowMs: 60000, minInterval: 50 })
+};
+
+/**
+ * Gets a rate limiter by name
+ * @param {string} name - Rate limiter name
+ * @returns {RateLimiter} Rate limiter instance
+ */
+const getLimiter = (name) => {
+  return rateLimiters[name] || rateLimiters.api;
+};
+
+/**
+ * Wraps an async function with rate limiting
+ * @param {Function} fn - Function to wrap
+ * @param {string} [limiterName='api'] - Rate limiter to use
+ * @returns {Function} Rate-limited function
+ */
+const withRateLimit = (fn, limiterName = 'api') => {
+  const limiter = getLimiter(limiterName);
+  return async (...args) => {
+    return limiter.execute(() => fn(...args));
+  };
+};
+
+module.exports = {
+  RateLimiter,
+  rateLimiters,
+  getLimiter,
+  withRateLimit
+};

package/src/security/validation.js

@@ -0,0 +1,253 @@
+/**
+ * @fileoverview Input validation and sanitization utilities
+ * @module security/validation
+ */
+
+/**
+ * Validation error class
+ */
+class ValidationError extends Error {
+  constructor(message, field = null) {
+    super(message);
+    this.name = 'ValidationError';
+    this.field = field;
+  }
+}
+
+/**
+ * Validates username format
+ * @param {string} username - Username to validate
+ * @returns {boolean} True if valid
+ * @throws {ValidationError} If invalid
+ */
+const validateUsername = (username) => {
+  if (!username || typeof username !== 'string') {
+    throw new ValidationError('Username is required', 'username');
+  }
+  
+  const trimmed = username.trim();
+  
+  if (trimmed.length < 3) {
+    throw new ValidationError('Username must be at least 3 characters', 'username');
+  }
+  
+  if (trimmed.length > 50) {
+    throw new ValidationError('Username must be less than 50 characters', 'username');
+  }
+  
+  // Allow alphanumeric, dots, underscores, hyphens, and @ for emails
+  if (!/^[a-zA-Z0-9._@-]+$/.test(trimmed)) {
+    throw new ValidationError('Username contains invalid characters', 'username');
+  }
+  
+  return true;
+};
+
+/**
+ * Validates password strength
+ * @param {string} password - Password to validate
+ * @param {Object} [options] - Validation options
+ * @param {number} [options.minLength=6] - Minimum length
+ * @param {boolean} [options.requireSpecial=false] - Require special character
+ * @returns {boolean} True if valid
+ * @throws {ValidationError} If invalid
+ */
+const validatePassword = (password, options = {}) => {
+  const { minLength = 6, requireSpecial = false } = options;
+  
+  if (!password || typeof password !== 'string') {
+    throw new ValidationError('Password is required', 'password');
+  }
+  
+  if (password.length < minLength) {
+    throw new ValidationError(`Password must be at least ${minLength} characters`, 'password');
+  }
+  
+  if (password.length > 128) {
+    throw new ValidationError('Password must be less than 128 characters', 'password');
+  }
+  
+  if (requireSpecial && !/[!@#$%^&*(),.?":{}|<>]/.test(password)) {
+    throw new ValidationError('Password must contain a special character', 'password');
+  }
+  
+  return true;
+};
+
+/**
+ * Validates API key format
+ * @param {string} apiKey - API key to validate
+ * @returns {boolean} True if valid
+ * @throws {ValidationError} If invalid
+ */
+const validateApiKey = (apiKey) => {
+  if (!apiKey || typeof apiKey !== 'string') {
+    throw new ValidationError('API key is required', 'apiKey');
+  }
+  
+  const trimmed = apiKey.trim();
+  
+  if (trimmed.length < 10) {
+    throw new ValidationError('API key is too short', 'apiKey');
+  }
+  
+  if (trimmed.length > 256) {
+    throw new ValidationError('API key is too long', 'apiKey');
+  }
+  
+  // Allow alphanumeric and common API key characters
+  if (!/^[a-zA-Z0-9_-]+$/.test(trimmed)) {
+    throw new ValidationError('API key contains invalid characters', 'apiKey');
+  }
+  
+  return true;
+};
+
+/**
+ * Validates account ID
+ * @param {number|string} accountId - Account ID to validate
+ * @returns {number} Validated account ID as integer
+ * @throws {ValidationError} If invalid
+ */
+const validateAccountId = (accountId) => {
+  const id = parseInt(accountId, 10);
+  
+  if (isNaN(id) || id <= 0) {
+    throw new ValidationError('Invalid account ID', 'accountId');
+  }
+  
+  if (id > Number.MAX_SAFE_INTEGER) {
+    throw new ValidationError('Account ID is too large', 'accountId');
+  }
+  
+  return id;
+};
+
+/**
+ * Validates order quantity
+ * @param {number|string} quantity - Quantity to validate
+ * @param {Object} [options] - Validation options
+ * @param {number} [options.min=1] - Minimum quantity
+ * @param {number} [options.max=1000] - Maximum quantity
+ * @returns {number} Validated quantity as integer
+ * @throws {ValidationError} If invalid
+ */
+const validateQuantity = (quantity, options = {}) => {
+  const { min = 1, max = 1000 } = options;
+  const qty = parseInt(quantity, 10);
+  
+  if (isNaN(qty)) {
+    throw new ValidationError('Quantity must be a number', 'quantity');
+  }
+  
+  if (qty < min) {
+    throw new ValidationError(`Quantity must be at least ${min}`, 'quantity');
+  }
+  
+  if (qty > max) {
+    throw new ValidationError(`Quantity must be at most ${max}`, 'quantity');
+  }
+  
+  return qty;
+};
+
+/**
+ * Validates price
+ * @param {number|string} price - Price to validate
+ * @returns {number} Validated price as float
+ * @throws {ValidationError} If invalid
+ */
+const validatePrice = (price) => {
+  const p = parseFloat(price);
+  
+  if (isNaN(p)) {
+    throw new ValidationError('Price must be a number', 'price');
+  }
+  
+  if (p < 0) {
+    throw new ValidationError('Price cannot be negative', 'price');
+  }
+  
+  if (p > 1000000) {
+    throw new ValidationError('Price is too large', 'price');
+  }
+  
+  return p;
+};
+
+/**
+ * Validates symbol format
+ * @param {string} symbol - Symbol to validate
+ * @returns {string} Validated symbol (uppercase, trimmed)
+ * @throws {ValidationError} If invalid
+ */
+const validateSymbol = (symbol) => {
+  if (!symbol || typeof symbol !== 'string') {
+    throw new ValidationError('Symbol is required', 'symbol');
+  }
+  
+  const trimmed = symbol.trim().toUpperCase();
+  
+  if (trimmed.length < 1 || trimmed.length > 20) {
+    throw new ValidationError('Invalid symbol length', 'symbol');
+  }
+  
+  if (!/^[A-Z0-9]+$/.test(trimmed)) {
+    throw new ValidationError('Symbol contains invalid characters', 'symbol');
+  }
+  
+  return trimmed;
+};
+
+/**
+ * Sanitizes a string by removing potentially dangerous characters
+ * @param {string} input - Input to sanitize
+ * @returns {string} Sanitized string
+ */
+const sanitizeString = (input) => {
+  if (!input || typeof input !== 'string') return '';
+  
+  return input
+    .trim()
+    .replace(/[<>]/g, '') // Remove HTML brackets
+    .replace(/[\x00-\x1F\x7F]/g, '') // Remove control characters
+    .substring(0, 1000); // Limit length
+};
+
+/**
+ * Validates and sanitizes all fields in an object
+ * @param {Object} data - Data object to validate
+ * @param {Object} schema - Validation schema
+ * @returns {Object} Validated data
+ * @throws {ValidationError} If any field is invalid
+ */
+const validateObject = (data, schema) => {
+  const result = {};
+  
+  for (const [field, validator] of Object.entries(schema)) {
+    const value = data[field];
+    
+    if (typeof validator === 'function') {
+      result[field] = validator(value);
+    } else if (validator.required && (value === undefined || value === null)) {
+      throw new ValidationError(`${field} is required`, field);
+    } else if (value !== undefined && value !== null) {
+      result[field] = validator.validate ? validator.validate(value) : value;
+    }
+  }
+  
+  return result;
+};
+
+module.exports = {
+  ValidationError,
+  validateUsername,
+  validatePassword,
+  validateApiKey,
+  validateAccountId,
+  validateQuantity,
+  validatePrice,
+  validateSymbol,
+  sanitizeString,
+  validateObject
+};

package/src/services/hqx-server.js

@@ -6,11 +6,12 @@
 
 const WebSocket = require('ws');
 const crypto = require('crypto');
-const https = require('https');
+const http = require('http');
 
 // HQX Server Configuration - Contabo Dedicated Server
 const HQX_CONFIG = {
-  apiUrl: process.env.HQX_API_URL || 'http://173.212.223.75:3500',
+  host: process.env.HQX_HOST || '173.212.223.75',
+  port: process.env.HQX_PORT || 3500,
   wsUrl: process.env.HQX_WS_URL || 'ws://173.212.223.75:3500/ws',
   version: 'v1'
 };
@@ -19,8 +20,10 @@ class HQXServerService {
   constructor() {
     this.ws = null;
     this.token = null;
+    this.refreshToken = null;
     this.apiKey = null;
     this.sessionId = null;
+    this.userId = null;
     this.connected = false;
     this.reconnectAttempts = 0;
     this.maxReconnectAttempts = 5;
@@ -39,16 +42,16 @@ class HQXServerService {
   }
 
   /**
-   * HTTPS request helper
+   * HTTP request helper
    */
   _request(endpoint, method = 'GET', data = null) {
     return new Promise((resolve, reject) => {
-      const url = new URL(`${HQX_CONFIG.apiUrl}/${HQX_CONFIG.version}${endpoint}`);
+      const postData = data ? JSON.stringify(data) : null;
       
       const options = {
-        hostname: url.hostname,
-        port: 443,
-        path: url.pathname,
+        hostname: HQX_CONFIG.host,
+        port: HQX_CONFIG.port,
+        path: `/${HQX_CONFIG.version}${endpoint}`,
         method: method,
         headers: {
           'Content-Type': 'application/json',
@@ -57,6 +60,10 @@ class HQXServerService {
         }
       };
 
+      if (postData) {
+        options.headers['Content-Length'] = Buffer.byteLength(postData);
+      }
+
       if (this.token) {
         options.headers['Authorization'] = `Bearer ${this.token}`;
       }
@@ -64,7 +71,7 @@ class HQXServerService {
         options.headers['X-API-Key'] = this.apiKey;
       }
 
-      const req = https.request(options, (res) => {
+      const req = http.request(options, (res) => {
         let body = '';
         res.on('data', chunk => body += chunk);
         res.on('end', () => {
@@ -83,8 +90,8 @@ class HQXServerService {
         reject(new Error('Request timeout'));
       });
 
-      if (data) {
-        req.write(JSON.stringify(data));
+      if (postData) {
+        req.write(postData);
       }
 
       req.end();
@@ -93,20 +100,30 @@ class HQXServerService {
 
   /**
    * Authenticate with HQX Server
+   * @param {string} userId - User identifier (can be device ID or API key)
+   * @param {string} propfirm - PropFirm name (optional)
    */
-  async authenticate(apiKey) {
+  async authenticate(userId, propfirm = 'unknown') {
     try {
+      const deviceId = this._generateDeviceId();
+      
       const response = await this._request('/auth/token', 'POST', {
-        apiKey: apiKey,
-        deviceId: this._generateDeviceId(),
+        userId: userId || deviceId,
+        deviceId: deviceId,
+        propfirm: propfirm,
         timestamp: Date.now()
       });
 
       if (response.statusCode === 200 && response.data.success) {
-        this.token = response.data.token;
-        this.apiKey = apiKey;
-        this.sessionId = response.data.sessionId;
-        return { success: true, sessionId: this.sessionId };
+        this.token = response.data.data.token;
+        this.refreshToken = response.data.data.refreshToken;
+        this.apiKey = response.data.data.apiKey;
+        this.sessionId = response.data.data.sessionId;
+        return { 
+          success: true, 
+          sessionId: this.sessionId,
+          apiKey: this.apiKey
+        };
       } else {
         return { 
           success: false, 

package/src/services/index.js

@@ -1,5 +1,6 @@
 /**
- * Services Module Exports
+ * @fileoverview Services module exports
+ * @module services
  */
 
 const { ProjectXService } = require('./projectx');