hedgequantx 1.8.49 → 2.3.0

package/src/security/encryption.js

@@ -5,76 +5,87 @@
 
 const crypto = require('crypto');
 const os = require('os');
+const { SECURITY } = require('../config/settings');
 
-// Algorithm configuration
-const ALGORITHM = 'aes-256-gcm';
-const IV_LENGTH = 16;
-const AUTH_TAG_LENGTH = 16;
-const SALT_LENGTH = 32;
-const KEY_LENGTH = 32;
-const ITERATIONS = 100000;
+const {
+  ALGORITHM,
+  IV_LENGTH,
+  SALT_LENGTH,
+  KEY_LENGTH,
+  PBKDF2_ITERATIONS,
+  TOKEN_VISIBLE_CHARS,
+} = SECURITY;
+
+/** @type {Buffer|null} Cached machine key */
+let cachedMachineKey = null;
 
 /**
  * Derives a unique machine key from hardware identifiers
- * @returns {string} Machine-specific key
+ * @returns {Buffer} Machine-specific key (cached)
  * @private
  */
 const getMachineKey = () => {
+  if (cachedMachineKey) return cachedMachineKey;
+  
   const components = [
     os.hostname(),
     os.platform(),
     os.arch(),
-    os.cpus()[0]?.model || 'unknown',
+    os.cpus()[0]?.model || 'cpu',
     os.homedir(),
-    process.env.USER || process.env.USERNAME || 'user'
-  ];
-  return crypto.createHash('sha256').update(components.join('|')).digest('hex');
+    process.env.USER || process.env.USERNAME || 'user',
+  ].join('|');
+  
+  cachedMachineKey = crypto.createHash('sha256').update(components).digest();
+  return cachedMachineKey;
 };
 
 /**
  * Derives encryption key from password and salt using PBKDF2
- * @param {string} password - Password to derive key from
+ * @param {Buffer|string} password - Password to derive key from
  * @param {Buffer} salt - Salt for key derivation
  * @returns {Buffer} Derived key
  * @private
  */
 const deriveKey = (password, salt) => {
-  return crypto.pbkdf2Sync(password, salt, ITERATIONS, KEY_LENGTH, 'sha512');
+  const pwd = Buffer.isBuffer(password) ? password : Buffer.from(password);
+  return crypto.pbkdf2Sync(pwd, salt, PBKDF2_ITERATIONS, KEY_LENGTH, 'sha512');
 };
 
 /**
  * Encrypts data using AES-256-GCM
  * @param {string} plaintext - Data to encrypt
- * @param {string} [password] - Optional password (uses machine key if not provided)
+ * @param {Buffer|string} [password] - Optional password (uses machine key if not provided)
  * @returns {string} Encrypted data as hex string (salt:iv:authTag:ciphertext)
  */
 const encrypt = (plaintext, password = null) => {
   if (!plaintext) return '';
   
-  const secret = password || getMachineKey();
+  const secret = password ? Buffer.from(password) : getMachineKey();
   const salt = crypto.randomBytes(SALT_LENGTH);
-  const key = deriveKey(secret, salt);
   const iv = crypto.randomBytes(IV_LENGTH);
+  const key = deriveKey(secret, salt);
   
   const cipher = crypto.createCipheriv(ALGORITHM, key, iv);
-  let encrypted = cipher.update(plaintext, 'utf8', 'hex');
-  encrypted += cipher.final('hex');
+  const encrypted = Buffer.concat([
+    cipher.update(plaintext, 'utf8'),
+    cipher.final(),
+  ]);
   
   const authTag = cipher.getAuthTag();
   
-  // Format: salt:iv:authTag:ciphertext (all in hex)
   return [
     salt.toString('hex'),
     iv.toString('hex'),
     authTag.toString('hex'),
-    encrypted
+    encrypted.toString('hex'),
   ].join(':');
 };
 
 /**
  * Decrypts data encrypted with AES-256-GCM
  * @param {string} encryptedData - Encrypted data as hex string
- * @param {string} [password] - Optional password (uses machine key if not provided)
+ * @param {Buffer|string} [password] - Optional password (uses machine key if not provided)
  * @returns {string|null} Decrypted plaintext or null if decryption fails
  */
 const decrypt = (encryptedData, password = null) => {
@@ -85,40 +96,41 @@ const decrypt = (encryptedData, password = null) => {
     if (parts.length !== 4) return null;
     
     const [saltHex, ivHex, authTagHex, ciphertext] = parts;
-    
     const salt = Buffer.from(saltHex, 'hex');
     const iv = Buffer.from(ivHex, 'hex');
     const authTag = Buffer.from(authTagHex, 'hex');
+    const encrypted = Buffer.from(ciphertext, 'hex');
     
-    const secret = password || getMachineKey();
+    const secret = password ? Buffer.from(password) : getMachineKey();
     const key = deriveKey(secret, salt);
     
     const decipher = crypto.createDecipheriv(ALGORITHM, key, iv);
     decipher.setAuthTag(authTag);
     
-    let decrypted = decipher.update(ciphertext, 'hex', 'utf8');
-    decrypted += decipher.final('utf8');
+    const decrypted = Buffer.concat([
+      decipher.update(encrypted),
+      decipher.final(),
+    ]);
     
-    return decrypted;
-  } catch (error) {
-    // Decryption failed (wrong key, tampered data, etc.)
+    return decrypted.toString('utf8');
+  } catch {
     return null;
   }
 };
 
 /**
- * Hashes a password using SHA-512 with salt
+ * Hashes a password using PBKDF2-SHA512
  * @param {string} password - Password to hash
  * @returns {string} Hashed password (salt:hash in hex)
  */
 const hashPassword = (password) => {
   const salt = crypto.randomBytes(SALT_LENGTH);
-  const hash = crypto.pbkdf2Sync(password, salt, ITERATIONS, 64, 'sha512');
-  return salt.toString('hex') + ':' + hash.toString('hex');
+  const hash = crypto.pbkdf2Sync(password, salt, PBKDF2_ITERATIONS, 64, 'sha512');
+  return `${salt.toString('hex')}:${hash.toString('hex')}`;
 };
 
 /**
- * Verifies a password against a hash
+ * Verifies a password against a hash using constant-time comparison
  * @param {string} password - Password to verify
  * @param {string} storedHash - Stored hash (salt:hash)
  * @returns {boolean} True if password matches
@@ -126,9 +138,13 @@ const hashPassword = (password) => {
 const verifyPassword = (password, storedHash) => {
   try {
     const [saltHex, hashHex] = storedHash.split(':');
+    if (!saltHex || !hashHex) return false;
+    
     const salt = Buffer.from(saltHex, 'hex');
-    const hash = crypto.pbkdf2Sync(password, salt, ITERATIONS, 64, 'sha512');
-    return hash.toString('hex') === hashHex;
+    const storedHashBuffer = Buffer.from(hashHex, 'hex');
+    const hash = crypto.pbkdf2Sync(password, salt, PBKDF2_ITERATIONS, 64, 'sha512');
+    
+    return crypto.timingSafeEqual(hash, storedHashBuffer);
   } catch {
     return false;
   }
@@ -139,23 +155,40 @@ const verifyPassword = (password, storedHash) => {
  * @param {number} [length=32] - Token length in bytes
  * @returns {string} Random token as hex string
  */
-const generateToken = (length = 32) => {
-  return crypto.randomBytes(length).toString('hex');
-};
+const generateToken = (length = 32) => crypto.randomBytes(length).toString('hex');
 
 /**
  * Masks sensitive data for logging
  * @param {string} data - Data to mask
- * @param {number} [visibleChars=4] - Number of visible characters at start/end
+ * @param {number} [visibleChars] - Number of visible characters at start/end
  * @returns {string} Masked data
  */
-const maskSensitive = (data, visibleChars = 4) => {
-  if (!data || data.length <= visibleChars * 2) {
-    return '****';
+const maskSensitive = (data, visibleChars = TOKEN_VISIBLE_CHARS) => {
+  if (!data || typeof data !== 'string') return '****';
+  if (data.length <= visibleChars * 2) return '****';
+  
+  return `${data.slice(0, visibleChars)}****${data.slice(-visibleChars)}`;
+};
+
+/**
+ * Securely clears sensitive data from a buffer
+ * @param {Buffer} buffer - Buffer to clear
+ */
+const secureWipe = (buffer) => {
+  if (Buffer.isBuffer(buffer)) {
+    crypto.randomFillSync(buffer);
+    buffer.fill(0);
+  }
+};
+
+/**
+ * Clears cached machine key (call on logout for extra security)
+ */
+const clearCache = () => {
+  if (cachedMachineKey) {
+    secureWipe(cachedMachineKey);
+    cachedMachineKey = null;
   }
-  const start = data.substring(0, visibleChars);
-  const end = data.substring(data.length - visibleChars);
-  return `${start}****${end}`;
 };
 
 module.exports = {
@@ -164,5 +197,7 @@ module.exports = {
   hashPassword,
   verifyPassword,
   generateToken,
-  maskSensitive
+  maskSensitive,
+  secureWipe,
+  clearCache,
 };

package/src/security/index.js

@@ -9,7 +9,9 @@ const {
   hashPassword,
   verifyPassword,
   generateToken,
-  maskSensitive
+  maskSensitive,
+  secureWipe,
+  clearCache,
 } = require('./encryption');
 
 const {
@@ -22,14 +24,14 @@ const {
   validatePrice,
   validateSymbol,
   sanitizeString,
-  validateObject
+  validateObject,
 } = require('./validation');
 
 const {
   RateLimiter,
-  rateLimiters,
   getLimiter,
-  withRateLimit
+  withRateLimit,
+  resetAll,
 } = require('./rateLimit');
 
 module.exports = {
@@ -40,7 +42,9 @@ module.exports = {
   verifyPassword,
   generateToken,
   maskSensitive,
-  
+  secureWipe,
+  clearCache,
+
   // Validation
   ValidationError,
   validateUsername,
@@ -52,10 +56,10 @@ module.exports = {
   validateSymbol,
   sanitizeString,
   validateObject,
-  
+
   // Rate Limiting
   RateLimiter,
-  rateLimiters,
   getLimiter,
-  withRateLimit
+  withRateLimit,
+  resetAll,
 };

package/src/security/rateLimit.js

@@ -3,95 +3,101 @@
  * @module security/rateLimit
  */
 
+const { RATE_LIMITS } = require('../config/settings');
+
 /**
- * Rate limiter class for controlling request frequency
+ * High-performance rate limiter using sliding window
  */
 class RateLimiter {
   /**
-   * Creates a new rate limiter
    * @param {Object} options - Rate limiter options
    * @param {number} [options.maxRequests=60] - Maximum requests per window
    * @param {number} [options.windowMs=60000] - Time window in milliseconds
-   * @param {number} [options.minInterval=100] - Minimum interval between requests in ms
+   * @param {number} [options.minInterval=100] - Minimum interval between requests
    */
-  constructor(options = {}) {
-    this.maxRequests = options.maxRequests || 60;
-    this.windowMs = options.windowMs || 60000;
-    this.minInterval = options.minInterval || 100;
-    this.requests = [];
+  constructor({ maxRequests = 60, windowMs = 60000, minInterval = 100 } = {}) {
+    this.maxRequests = maxRequests;
+    this.windowMs = windowMs;
+    this.minInterval = minInterval;
+    this.timestamps = [];
     this.lastRequest = 0;
   }
 
   /**
-   * Cleans up old requests outside the current window
+   * Removes expired timestamps from the window
    * @private
    */
-  _cleanup() {
-    const now = Date.now();
-    const windowStart = now - this.windowMs;
-    this.requests = this.requests.filter(time => time > windowStart);
+  _prune() {
+    const cutoff = Date.now() - this.windowMs;
+    // Binary search would be overkill for typical request counts
+    while (this.timestamps.length && this.timestamps[0] <= cutoff) {
+      this.timestamps.shift();
+    }
   }
 
   /**
-   * Checks if a request is allowed
-   * @returns {boolean} True if request is allowed
+   * Checks if a request is allowed without recording it
+   * @returns {boolean}
    */
   canRequest() {
-    this._cleanup();
+    this._prune();
     const now = Date.now();
     
-    // Check minimum interval
     if (now - this.lastRequest < this.minInterval) {
       return false;
     }
     
-    // Check max requests in window
-    return this.requests.length < this.maxRequests;
+    return this.timestamps.length < this.maxRequests;
   }
 
   /**
-   * Records a request
+   * Records a request timestamp
    */
   recordRequest() {
     const now = Date.now();
-    this.requests.push(now);
+    this.timestamps.push(now);
     this.lastRequest = now;
   }
 
   /**
    * Gets remaining requests in current window
-   * @returns {number} Remaining requests
+   * @returns {number}
    */
-  getRemainingRequests() {
-    this._cleanup();
-    return Math.max(0, this.maxRequests - this.requests.length);
+  get remaining() {
+    this._prune();
+    return Math.max(0, this.maxRequests - this.timestamps.length);
   }
 
   /**
-   * Gets time until rate limit resets
-   * @returns {number} Milliseconds until reset
+   * Gets milliseconds until next slot is available
+   * @returns {number}
    */
-  getResetTime() {
-    if (this.requests.length === 0) return 0;
-    const oldestRequest = Math.min(...this.requests);
-    return Math.max(0, (oldestRequest + this.windowMs) - Date.now());
+  get resetIn() {
+    if (!this.timestamps.length) return 0;
+    this._prune();
+    if (this.timestamps.length < this.maxRequests) return 0;
+    return Math.max(0, this.timestamps[0] + this.windowMs - Date.now());
   }
 
   /**
-   * Waits until a request is allowed
-   * @returns {Promise<void>} Resolves when request is allowed
+   * Waits until a request slot is available
+   * @returns {Promise<void>}
    */
   async waitForSlot() {
     while (!this.canRequest()) {
-      const waitTime = Math.max(this.minInterval, this.getResetTime());
-      await new Promise(resolve => setTimeout(resolve, Math.min(waitTime, 1000)));
+      const waitTime = Math.max(
+        this.minInterval - (Date.now() - this.lastRequest),
+        Math.min(this.resetIn, 1000)
+      );
+      await new Promise(r => setTimeout(r, Math.max(1, waitTime)));
     }
   }
 
   /**
    * Executes a function with rate limiting
-   * @param {Function} fn - Function to execute
-   * @returns {Promise<any>} Result of the function
+   * @template T
+   * @param {() => Promise<T>} fn - Function to execute
+   * @returns {Promise<T>}
    */
   async execute(fn) {
     await this.waitForSlot();
@@ -103,53 +109,50 @@ class RateLimiter {
    * Resets the rate limiter
    */
   reset() {
-    this.requests = [];
+    this.timestamps = [];
     this.lastRequest = 0;
   }
 }
 
-/**
- * Creates rate limiters for different API endpoints
- */
-const rateLimiters = {
-  // General API calls - 60 per minute
-  api: new RateLimiter({ maxRequests: 60, windowMs: 60000, minInterval: 100 }),
-  
-  // Login attempts - 5 per minute (stricter for security)
-  login: new RateLimiter({ maxRequests: 5, windowMs: 60000, minInterval: 2000 }),
-  
-  // Order placement - 30 per minute
-  orders: new RateLimiter({ maxRequests: 30, windowMs: 60000, minInterval: 200 }),
-  
-  // Data fetching - 120 per minute
-  data: new RateLimiter({ maxRequests: 120, windowMs: 60000, minInterval: 50 })
-};
+/** @type {Map<string, RateLimiter>} */
+const limiters = new Map([
+  ['api', new RateLimiter(RATE_LIMITS.API)],
+  ['login', new RateLimiter(RATE_LIMITS.LOGIN)],
+  ['orders', new RateLimiter(RATE_LIMITS.ORDERS)],
+  ['data', new RateLimiter(RATE_LIMITS.DATA)],
+]);
 
 /**
  * Gets a rate limiter by name
  * @param {string} name - Rate limiter name
- * @returns {RateLimiter} Rate limiter instance
+ * @returns {RateLimiter}
  */
-const getLimiter = (name) => {
-  return rateLimiters[name] || rateLimiters.api;
-};
+const getLimiter = (name) => limiters.get(name) || limiters.get('api');
 
 /**
  * Wraps an async function with rate limiting
- * @param {Function} fn - Function to wrap
+ * @template T
+ * @param {(...args: any[]) => Promise<T>} fn - Function to wrap
  * @param {string} [limiterName='api'] - Rate limiter to use
- * @returns {Function} Rate-limited function
+ * @returns {(...args: any[]) => Promise<T>}
  */
 const withRateLimit = (fn, limiterName = 'api') => {
   const limiter = getLimiter(limiterName);
-  return async (...args) => {
-    return limiter.execute(() => fn(...args));
-  };
+  return (...args) => limiter.execute(() => fn(...args));
+};
+
+/**
+ * Resets all rate limiters
+ */
+const resetAll = () => {
+  for (const limiter of limiters.values()) {
+    limiter.reset();
+  }
 };
 
 module.exports = {
   RateLimiter,
-  rateLimiters,
   getLimiter,
-  withRateLimit
+  withRateLimit,
+  resetAll,
 };