Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
16 changes: 16 additions & 0 deletions .env.example
Original file line number Diff line number Diff line change
Expand Up @@ -70,6 +70,22 @@ GOVERNANCE_CONTRACT_ADDRESS=
BCRYPT_ROUNDS=12
SESSION_SECRET=your-session-secret-key-change-this-in-production

# Password Security
PASSWORD_MIN_LENGTH=12
PASSWORD_REQUIRE_SPECIAL_CHARS=true
PASSWORD_REQUIRE_NUMBERS=true
PASSWORD_REQUIRE_UPPERCASE=true
PASSWORD_HISTORY_COUNT=5
PASSWORD_EXPIRY_DAYS=90

# Authentication Security
JWT_BLACKLIST_ENABLED=true
LOGIN_MAX_ATTEMPTS=5
LOGIN_LOCKOUT_DURATION=900
SESSION_TIMEOUT=3600
MFA_ENABLED=true
MFA_CODE_EXPIRY=300

# Development
MOCK_BLOCKCHAIN=false
ENABLE_SEED_DATA=false
193 changes: 193 additions & 0 deletions SECURITY.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,193 @@
# Authentication Security Implementation

## Overview

This document describes the security enhancements implemented in the PropChain authentication system to strengthen security and remove insecure console logging.

## Security Features Implemented

### 1. Console Logging Removal
- **Issue**: Sensitive information (tokens, emails) was exposed in production logs
- **Solution**: Replaced all `console.log` statements with structured logging using `StructuredLoggerService`
- **Files Modified**: `src/auth/auth.service.ts`

### 2. Token Blacklisting
- **Issue**: JWT tokens couldn't be revoked once issued
- **Solution**: Implemented token blacklisting using Redis with automatic TTL expiration
- **Features**:
- Blacklist tokens on logout with proper TTL
- JWT guard checks blacklisted tokens
- Automatic cleanup of expired blacklisted tokens
- **Files Modified**:
- `src/auth/auth.service.ts`
- `src/auth/guards/jwt-auth.guard.ts`
- `src/auth/auth.controller.ts`

### 3. Brute Force Protection
- **Issue**: No protection against password guessing attacks
- **Solution**: Implemented login attempt tracking with account locking
- **Features**:
- Track failed attempts by email and IP address
- Lock accounts after configurable number of failed attempts
- Automatic lockout expiration
- Exponential backoff for repeated failures
- **Files Created**: `src/auth/guards/login-attempts.guard.ts`
- **Files Modified**:
- `src/auth/auth.controller.ts`
- `src/auth/auth.module.ts`

### 4. Enhanced Password Security
- **Issue**: Weak password requirements and no validation
- **Solution**: Implemented comprehensive password validation and security policies
- **Features**:
- Configurable password strength requirements
- Password pattern validation (length, special chars, numbers, uppercase)
- Common password pattern detection
- Configurable bcrypt rounds
- **Files Created**:
- `src/common/validators/password.validator.ts`
- **Files Modified**:
- `src/users/user.service.ts`
- `src/users/users.module.ts`
- `src/config/configuration.ts`
- `src/config/interfaces/joi-schema-config.interface.ts`

### 5. Session Management
- **Issue**: No proper session tracking or management
- **Solution**: Implemented Redis-based session management
- **Features**:
- Track active sessions per user
- Session timeout configuration
- API endpoints for session management
- Concurrent session limiting
- **Files Modified**:
- `src/auth/auth.service.ts`
- `src/auth/auth.controller.ts`

### 6. Multi-Factor Authentication (MFA)
- **Issue**: No additional authentication factors beyond password
- **Solution**: Implemented TOTP-based MFA with backup codes
- **Features**:
- TOTP (Time-based One-Time Password) support
- QR code generation for authenticator apps
- Backup codes for recovery
- MFA status management
- API endpoints for MFA setup and management
- **Files Created**:
- `src/auth/mfa/mfa.service.ts`
- `src/auth/mfa/mfa.controller.ts`
- `src/auth/mfa/mfa.module.ts`
- `src/auth/mfa/index.ts`

## Configuration

### Environment Variables

```env
# Password Security
PASSWORD_MIN_LENGTH=12
PASSWORD_REQUIRE_SPECIAL_CHARS=true
PASSWORD_REQUIRE_NUMBERS=true
PASSWORD_REQUIRE_UPPERCASE=true
PASSWORD_HISTORY_COUNT=5
PASSWORD_EXPIRY_DAYS=90

# Authentication Security
JWT_BLACKLIST_ENABLED=true
LOGIN_MAX_ATTEMPTS=5
LOGIN_LOCKOUT_DURATION=900
SESSION_TIMEOUT=3600
MFA_ENABLED=true
MFA_CODE_EXPIRY=300

# Security
BCRYPT_ROUNDS=12
SESSION_SECRET=your-session-secret-key-change-this-in-production
```

## API Endpoints

### Authentication
- `POST /auth/login` - Login with email/password (protected by brute force guard)
- `POST /auth/web3-login` - Web3 wallet login
- `POST /auth/logout` - Logout and blacklist current token
- `POST /auth/refresh-token` - Refresh access token
- `POST /auth/register` - Register new user
- `POST /auth/forgot-password` - Request password reset
- `PUT /auth/reset-password` - Reset password with token
- `GET /auth/verify-email/:token` - Verify email address

### Session Management
- `GET /auth/sessions` - Get all active sessions
- `DELETE /auth/sessions/:sessionId` - Invalidate specific session
- `DELETE /auth/sessions` - Invalidate all sessions

### MFA Management
- `POST /mfa/setup` - Generate MFA setup QR code
- `POST /mfa/verify` - Verify and complete MFA setup
- `GET /mfa/status` - Get MFA status
- `DELETE /mfa/disable` - Disable MFA
- `POST /mfa/backup-codes` - Generate new backup codes
- `POST /mfa/verify-backup` - Verify backup code

## Security Testing

### Unit Tests
- `test/auth/mfa.service.spec.ts` - MFA service unit tests
- Password validation tests in user service tests

### E2E Tests
- `test/auth/security.e2e-spec.ts` - Comprehensive security tests including:
- Token blacklisting
- Brute force protection
- Password security validation
- Session management

## Redis Schema

### Security Keys
```
# Login Attempts
login_attempts:{email} -> {count} (expires after lockout duration)
login_attempts:ip:{ip} -> {count} (expires after lockout duration)

# Token Blacklisting
blacklisted_token:{jti} -> {userId} (expires with token TTL)

# Active Sessions
active_session:{userId}:{jti} -> {sessionData} (expires with session TTL)

# MFA Data
mfa_setup:{userId} -> {secret} (temporary, expires after setup timeout)
mfa_secret:{userId} -> {secret} (permanent MFA secret)
mfa_backup_codes:{userId} -> {codesArray} (expires after 12 hours)
mfa_verified:{userId}:{token} -> {1} (prevents replay attacks, expires after timeout)
```

## Security Best Practices Implemented

1. **Never log sensitive data** - All sensitive information is filtered from logs
2. **Proper token invalidation** - Tokens can be blacklisted and revoked
3. **Rate limiting** - Prevents brute force attacks
4. **Strong password requirements** - Configurable password policies
5. **Session management** - Track and control active sessions
6. **Multi-factor authentication** - Additional security layer
7. **Secure configuration** - Environment-based security settings
8. **Comprehensive testing** - Unit and integration tests for security features

## Deployment Considerations

1. **Environment Configuration**: Ensure proper environment variables are set in production
2. **Redis Configuration**: Configure Redis with appropriate persistence and security settings
3. **Monitoring**: Set up monitoring for security events and failed login attempts
4. **Backup Codes**: Ensure users store MFA backup codes securely
5. **Regular Audits**: Periodically review security logs and configurations

## Future Enhancements

1. **IP-based restrictions** - Allow/deny lists for specific IP ranges
2. **Device fingerprinting** - Track and verify user devices
3. **Adaptive authentication** - Risk-based authentication decisions
4. **Security headers** - Implement additional HTTP security headers
5. **Audit logging** - Comprehensive security event logging
6. **Compliance reporting** - Generate security compliance reports
Loading
Loading