i18ntk 1.0.0

package/utils/admin-auth.js

@@ -0,0 +1,317 @@
+const fs = require('fs');
+const path = require('path');
+const crypto = require('crypto');
+const SecurityUtils = require('./security');
+const SettingsManager = require('../settings/settings-manager');
+
+/**
+ * Admin Authentication Module
+ * Provides secure PIN-based authentication for administrative operations
+ */
+class AdminAuth {
+  constructor() {
+    this.configPath = path.join(process.cwd(), '.i18n-admin-config.json');
+    this.settingsManager = SettingsManager;
+    
+    // Get settings from SettingsManager
+    const securitySettings = this.settingsManager.getSecurity();
+    this.sessionTimeout = (securitySettings.sessionTimeout || 30) * 60 * 1000; // Convert minutes to milliseconds
+    this.maxAttempts = securitySettings.maxFailedAttempts || 3;
+    this.lockoutDuration = (securitySettings.lockoutDuration || 15) * 60 * 1000; // Convert minutes to milliseconds
+    this.keepAuthenticatedUntilExit = securitySettings.keepAuthenticatedUntilExit !== false;
+    
+    this.activeSessions = new Map();
+    this.failedAttempts = new Map();
+    this.lockouts = new Map();
+    
+    // Clean up expired sessions every 5 minutes
+    this.cleanupInterval = setInterval(this.cleanupExpiredSessions.bind(this), 5 * 60 * 1000);
+  }
+
+  /**
+   * Initialize admin authentication system
+   */
+  async initialize() {
+    try {
+      if (!fs.existsSync(this.configPath)) {
+        // Create default config if it doesn't exist
+        const defaultConfig = {
+          enabled: false,
+          pinHash: null,
+          salt: null,
+          createdAt: new Date().toISOString(),
+          lastModified: new Date().toISOString()
+        };
+        await this.saveConfig(defaultConfig);
+      }
+      
+      SecurityUtils.logSecurityEvent('admin_auth_initialized', 'info', 'Admin authentication system initialized');
+      return true;
+    } catch (error) {
+      SecurityUtils.logSecurityEvent('admin_auth_init_error', 'error', `Failed to initialize admin auth: ${error.message}`);
+      return false;
+    }
+  }
+
+  /**
+   * Load admin configuration
+   */
+  async loadConfig() {
+    try {
+      if (!fs.existsSync(this.configPath)) {
+        return null;
+      }
+      
+      const content = await fs.promises.readFile(this.configPath, 'utf8');
+      return SecurityUtils.safeParseJSON(content);
+    } catch (error) {
+      SecurityUtils.logSecurityEvent('admin_config_load_error', 'error', `Failed to load admin config: ${error.message}`);
+      return null;
+    }
+  }
+
+  /**
+   * Save admin configuration
+   */
+  async saveConfig(config) {
+    try {
+      const content = JSON.stringify(config, null, 2);
+      await fs.promises.writeFile(this.configPath, content, { mode: 0o600 }); // Restrict permissions
+      SecurityUtils.logSecurityEvent('admin_config_saved', 'info', 'Admin configuration saved');
+      return true;
+    } catch (error) {
+      SecurityUtils.logSecurityEvent('admin_config_save_error', 'error', `Failed to save admin config: ${error.message}`);
+      return false;
+    }
+  }
+
+  /**
+   * Set up admin PIN
+   */
+  async setupPin(pin) {
+    try {
+      // Validate PIN format (4 digits)
+      if (!/^\d{4}$/.test(pin)) {
+        throw new Error('PIN must be exactly 4 digits');
+      }
+
+      // Generate salt and hash
+      const salt = crypto.randomBytes(32).toString('hex');
+      const pinHash = this.hashPin(pin, salt);
+
+      const config = {
+        enabled: true,
+        pinHash,
+        salt,
+        createdAt: new Date().toISOString(),
+        lastModified: new Date().toISOString()
+      };
+
+      const success = await this.saveConfig(config);
+      if (success) {
+        SecurityUtils.logSecurityEvent('admin_pin_setup', 'info', 'Admin PIN configured successfully');
+      }
+      return success;
+    } catch (error) {
+      SecurityUtils.logSecurityEvent('admin_pin_setup_error', 'error', `Failed to setup PIN: ${error.message}`);
+      return false;
+    }
+  }
+
+  /**
+   * Hash PIN with salt
+   */
+  hashPin(pin, salt) {
+    return crypto.pbkdf2Sync(pin, salt, 100000, 64, 'sha512').toString('hex');
+  }
+
+  /**
+   * Verify PIN
+   */
+  async verifyPin(pin) {
+    try {
+      const config = await this.loadConfig();
+      if (!config || !config.enabled) {
+        return true; // No authentication required if not enabled
+      }
+
+      // Check for lockout
+      const clientId = 'local'; // In a real app, this would be client IP or session ID
+      if (this.isLockedOut(clientId)) {
+        SecurityUtils.logSecurityEvent('admin_auth_lockout', 'warning', 'Authentication attempt during lockout period');
+        return false;
+      }
+
+      // Validate PIN format
+      if (!/^\d{4}$/.test(pin)) {
+        this.recordFailedAttempt(clientId);
+        SecurityUtils.logSecurityEvent('admin_auth_invalid_format', 'warning', 'Invalid PIN format attempted');
+        return false;
+      }
+
+      // Verify PIN
+      const pinHash = this.hashPin(pin, config.salt);
+      const isValid = pinHash === config.pinHash;
+
+      if (isValid) {
+        this.clearFailedAttempts(clientId);
+        SecurityUtils.logSecurityEvent('admin_auth_success', 'info', 'Admin authentication successful');
+        return true;
+      } else {
+        this.recordFailedAttempt(clientId);
+        SecurityUtils.logSecurityEvent('admin_auth_failure', 'warning', 'Admin authentication failed');
+        return false;
+      }
+    } catch (error) {
+      SecurityUtils.logSecurityEvent('admin_auth_error', 'error', `Authentication error: ${error.message}`);
+      return false;
+    }
+  }
+
+  /**
+   * Check if authentication is required
+   */
+  async isAuthRequired() {
+    // Check if admin PIN is enabled in settings
+    if (!this.settingsManager.isAdminPinEnabled()) {
+      return false;
+    }
+    
+    const config = await this.loadConfig();
+    return config && config.enabled;
+  }
+
+  /**
+   * Disable admin authentication
+   */
+  async disableAuth() {
+    try {
+      const config = await this.loadConfig();
+      if (config) {
+        config.enabled = false;
+        config.lastModified = new Date().toISOString();
+        const success = await this.saveConfig(config);
+        if (success) {
+          SecurityUtils.logSecurityEvent('admin_auth_disabled', 'info', 'Admin authentication disabled');
+        }
+        return success;
+      }
+      return true;
+    } catch (error) {
+      SecurityUtils.logSecurityEvent('admin_auth_disable_error', 'error', `Failed to disable auth: ${error.message}`);
+      return false;
+    }
+  }
+
+  /**
+   * Record failed authentication attempt
+   */
+  recordFailedAttempt(clientId) {
+    const now = Date.now();
+    const attempts = this.failedAttempts.get(clientId) || [];
+    
+    // Remove old attempts (older than lockout duration)
+    const recentAttempts = attempts.filter(time => now - time < this.lockoutDuration);
+    recentAttempts.push(now);
+    
+    this.failedAttempts.set(clientId, recentAttempts);
+  }
+
+  /**
+   * Clear failed attempts for client
+   */
+  clearFailedAttempts(clientId) {
+    this.failedAttempts.delete(clientId);
+  }
+
+  /**
+   * Check if client is locked out
+   */
+  isLockedOut(clientId) {
+    const attempts = this.failedAttempts.get(clientId) || [];
+    const now = Date.now();
+    
+    // Remove old attempts
+    const recentAttempts = attempts.filter(time => now - time < this.lockoutDuration);
+    this.failedAttempts.set(clientId, recentAttempts);
+    
+    return recentAttempts.length >= this.maxAttempts;
+  }
+
+  /**
+   * Create authenticated session
+   */
+  createSession() {
+    const sessionId = crypto.randomBytes(32).toString('hex');
+    const expiresAt = Date.now() + this.sessionTimeout;
+    
+    this.activeSessions.set(sessionId, {
+      createdAt: Date.now(),
+      expiresAt,
+      lastActivity: Date.now()
+    });
+    
+    SecurityUtils.logSecurityEvent('admin_session_created', 'info', 'Admin session created');
+    return sessionId;
+  }
+
+  /**
+   * Validate session
+   */
+  validateSession(sessionId) {
+    const session = this.activeSessions.get(sessionId);
+    if (!session) {
+      return false;
+    }
+    
+    const now = Date.now();
+    if (now > session.expiresAt) {
+      this.activeSessions.delete(sessionId);
+      SecurityUtils.logSecurityEvent('admin_session_expired', 'info', 'Admin session expired');
+      return false;
+    }
+    
+    // Update last activity
+    session.lastActivity = now;
+    return true;
+  }
+
+  /**
+   * Destroy session
+   */
+  destroySession(sessionId) {
+    const deleted = this.activeSessions.delete(sessionId);
+    if (deleted) {
+      SecurityUtils.logSecurityEvent('admin_session_destroyed', 'info', 'Admin session destroyed');
+    }
+    return deleted;
+  }
+
+  /**
+   * Clean up expired sessions
+   */
+  cleanupExpiredSessions() {
+    const now = Date.now();
+    let cleaned = 0;
+    
+    for (const [sessionId, session] of this.activeSessions.entries()) {
+      if (now > session.expiresAt) {
+        this.activeSessions.delete(sessionId);
+        cleaned++;
+      }
+    }
+    
+    if (cleaned > 0) {
+      SecurityUtils.logSecurityEvent('admin_sessions_cleaned', 'info', `Cleaned up ${cleaned} expired sessions`);
+    }
+  }
+
+  /**
+   * Clean up expired sessions (alias for backward compatibility)
+   */
+  cleanupSessions() {
+    return this.cleanupExpiredSessions();
+  }
+}
+
+module.exports = AdminAuth;

package/utils/admin-cli.js

@@ -0,0 +1,353 @@
+const readline = require('readline');
+const AdminAuth = require('./admin-auth');
+const SecurityUtils = require('./security');
+
+/**
+ * CLI Helper for Admin Authentication
+ */
+class AdminCLI {
+  constructor() {
+    this.adminAuth = new AdminAuth();
+    this.rl = null;
+  }
+
+  /**
+   * Initialize readline interface
+   */
+  initReadline() {
+    if (!this.rl) {
+      this.rl = readline.createInterface({
+        input: process.stdin,
+        output: process.stdout,
+        terminal: true,
+        historySize: 0
+      });
+    }
+    return this.rl;
+  }
+
+  /**
+   * Close readline interface
+   */
+  closeReadline() {
+    if (this.rl) {
+      this.rl.close();
+      this.rl = null;
+    }
+  }
+
+  /**
+   * Prompt for PIN input (hidden)
+   */
+  async promptPin(message = 'Enter admin PIN: ') {
+    return new Promise((resolve) => {
+      const rl = this.initReadline();
+      
+      // Check if stdin is a TTY (interactive terminal)
+      const stdin = process.stdin;
+      const isTTY = stdin.isTTY;
+      
+      if (isTTY) {
+         // Hide input for PIN in interactive mode
+         stdin.setRawMode(true);
+         stdin.resume();
+         stdin.setEncoding('utf8');
+       }
+       
+       if (isTTY) {
+         // Interactive mode with hidden input
+         let pin = '';
+         process.stdout.write(message);
+        
+        const onData = (char) => {
+          switch (char) {
+            case '\n':
+            case '\r':
+            case '\u0004': // Ctrl+D
+              stdin.setRawMode(false);
+              stdin.pause();
+              stdin.removeListener('data', onData);
+              process.stdout.write('\n');
+              resolve(pin);
+              break;
+            case '\u0003': // Ctrl+C
+              stdin.setRawMode(false);
+              stdin.pause();
+              stdin.removeListener('data', onData);
+              process.stdout.write('\n');
+              process.exit(1);
+              break;
+            case '\u007f': // Backspace
+              if (pin.length > 0) {
+                pin = pin.slice(0, -1);
+                process.stdout.write('\b \b');
+              }
+              break;
+            default:
+              if (char >= '0' && char <= '9' && pin.length < 4) {
+                pin += char;
+                process.stdout.write('*');
+              }
+              break;
+          }
+        };
+        
+        stdin.on('data', onData);
+      } else {
+        // Non-interactive mode (piped input)
+        rl.question(message, (answer) => {
+          resolve(answer.trim());
+        });
+      }
+    });
+  }
+
+  /**
+   * Prompt for yes/no confirmation
+   */
+  async promptConfirm(message) {
+    return new Promise((resolve) => {
+      const rl = this.initReadline();
+      rl.question(`${message} (y/N): `, (answer) => {
+        resolve(answer.toLowerCase().startsWith('y'));
+      });
+    });
+  }
+
+  /**
+   * Setup admin PIN
+   */
+  async setupAdminPin() {
+    try {
+      console.log('\n🔐 Setting up Admin PIN Protection');
+      console.log('This will require a 4-digit PIN for administrative operations.');
+      
+      const confirm = await this.promptConfirm('Do you want to enable admin PIN protection?');
+      if (!confirm) {
+        console.log('Admin PIN protection setup cancelled.');
+        this.closeReadline();
+        return false;
+      }
+
+      let pin1, pin2;
+      do {
+        pin1 = await this.promptPin('Enter a 4-digit PIN: ');
+        
+        if (!/^\d{4}$/.test(pin1)) {
+          console.log('❌ PIN must be exactly 4 digits. Please try again.');
+          continue;
+        }
+        
+        pin2 = await this.promptPin('Confirm PIN: ');
+        
+        if (pin1 !== pin2) {
+          console.log('❌ PINs do not match. Please try again.');
+        }
+      } while (pin1 !== pin2 || !/^\d{4}$/.test(pin1));
+
+      await this.adminAuth.initialize();
+      const success = await this.adminAuth.setupPin(pin1);
+      
+      if (success) {
+        console.log('✅ Admin PIN protection enabled successfully!');
+        console.log('⚠️  Remember your PIN - it cannot be recovered if lost.');
+        SecurityUtils.logSecurityEvent('admin_pin_setup_cli', 'info', 'Admin PIN setup completed via CLI');
+      } else {
+        console.log('❌ Failed to setup admin PIN protection.');
+      }
+      
+      this.closeReadline();
+      return success;
+    } catch (error) {
+      console.error('❌ Error setting up admin PIN:', error.message);
+      this.closeReadline();
+      return false;
+    }
+  }
+
+  /**
+   * Authenticate admin user
+   */
+  async authenticateAdmin(operation = 'administrative operation') {
+    try {
+      await this.adminAuth.initialize();
+      
+      const authRequired = await this.adminAuth.isAuthRequired();
+      if (!authRequired) {
+        return true; // No authentication required
+      }
+
+      console.log(`\n🔐 Admin authentication required for: ${operation}`);
+      
+      let attempts = 0;
+      const maxAttempts = 3;
+      
+      while (attempts < maxAttempts) {
+        const pin = await this.promptPin('Enter admin PIN: ');
+        
+        if (!/^\d{4}$/.test(pin)) {
+          console.log('❌ Invalid PIN format. PIN must be 4 digits.');
+          attempts++;
+          continue;
+        }
+        
+        const isValid = await this.adminAuth.verifyPin(pin);
+        
+        if (isValid) {
+          console.log('✅ Authentication successful!');
+          this.closeReadline();
+          return true;
+        } else {
+          attempts++;
+          const remaining = maxAttempts - attempts;
+          if (remaining > 0) {
+            console.log(`❌ Invalid PIN. ${remaining} attempts remaining.`);
+          }
+        }
+      }
+      
+      console.log('❌ Authentication failed. Access denied.');
+      SecurityUtils.logSecurityEvent('admin_auth_failed_cli', 'warning', `Admin authentication failed after ${maxAttempts} attempts`);
+      this.closeReadline();
+      return false;
+    } catch (error) {
+      console.error('❌ Authentication error:', error.message);
+      this.closeReadline();
+      return false;
+    }
+  }
+
+  /**
+   * Disable admin authentication
+   */
+  async disableAdminAuth() {
+    try {
+      await this.adminAuth.initialize();
+      
+      const authRequired = await this.adminAuth.isAuthRequired();
+      if (!authRequired) {
+        console.log('Admin PIN protection is not currently enabled.');
+        return true;
+      }
+
+      console.log('\n🔓 Disabling Admin PIN Protection');
+      
+      // Require authentication to disable
+      const authenticated = await this.authenticateAdmin('disable admin protection');
+      if (!authenticated) {
+        return false;
+      }
+      
+      const confirm = await this.promptConfirm('Are you sure you want to disable admin PIN protection?');
+      if (!confirm) {
+        console.log('Operation cancelled.');
+        this.closeReadline();
+        return false;
+      }
+      
+      const success = await this.adminAuth.disableAuth();
+      
+      if (success) {
+        console.log('✅ Admin PIN protection disabled.');
+        SecurityUtils.logSecurityEvent('admin_auth_disabled_cli', 'info', 'Admin PIN protection disabled via CLI');
+      } else {
+        console.log('❌ Failed to disable admin PIN protection.');
+      }
+      
+      this.closeReadline();
+      return success;
+    } catch (error) {
+      console.error('❌ Error disabling admin protection:', error.message);
+      this.closeReadline();
+      return false;
+    }
+  }
+
+  /**
+   * Show admin status
+   */
+  async showAdminStatus() {
+    try {
+      await this.adminAuth.initialize();
+      
+      const authRequired = await this.adminAuth.isAuthRequired();
+      
+      console.log('\n🔐 Admin Protection Status');
+      console.log('=' .repeat(30));
+      
+      if (authRequired) {
+        console.log('Status: ✅ ENABLED');
+        console.log('Protection: 4-digit PIN required for admin operations');
+        console.log('Lockout: 3 failed attempts = 15 minute lockout');
+      } else {
+        console.log('Status: ❌ DISABLED');
+        console.log('Protection: No authentication required');
+        console.log('Risk: Administrative operations are unprotected');
+      }
+      
+      return authRequired;
+    } catch (error) {
+      console.error('❌ Error checking admin status:', error.message);
+      return false;
+    }
+  }
+
+  /**
+   * Check if operation requires admin authentication
+   */
+  static requiresAdminAuth(operation) {
+    const adminOperations = [
+      'complete',
+      'manage',
+      'init',
+      'bulk-update',
+      'delete-language',
+      'reset-translations',
+      'delete',
+      'workflow'
+    ];
+    
+    return adminOperations.includes(operation);
+  }
+
+  /**
+   * Static method to check if operation requires auth (alias)
+   */
+  static requiresAuth(operation) {
+    return AdminCLI.requiresAdminAuth(operation);
+  }
+
+  /**
+   * Static method to authenticate
+   */
+  static async authenticate(operation = 'administrative operation') {
+    const cli = new AdminCLI();
+    return await cli.authenticateAdmin(operation);
+  }
+
+  /**
+   * Static method to setup admin
+   */
+  static async setupAdmin() {
+    const cli = new AdminCLI();
+    return await cli.setupAdminPin();
+  }
+
+  /**
+   * Static method to disable admin
+   */
+  static async disableAdmin() {
+    const cli = new AdminCLI();
+    return await cli.disableAdminAuth();
+  }
+
+  /**
+   * Static method to show status
+   */
+  static async showStatus() {
+    const cli = new AdminCLI();
+    return await cli.showAdminStatus();
+  }
+}
+
+module.exports = AdminCLI;