streamflow/backend/middleware/securityEnhancements.js

/**
 * Enhanced Security Middleware
 * Implements account lockout, password expiry, and session management
 */

const { db } = require('../database/db');
const { ACCOUNT_LOCKOUT, PASSWORD_EXPIRY, SESSION_POLICY } = require('../utils/passwordPolicy');
const SecurityAuditLogger = require('../utils/securityAudit');
const logger = require('../utils/logger');

/**
 * Check if account is locked
 */
async function checkAccountLockout(userId) {
  return new Promise((resolve, reject) => {
    db.get(
      'SELECT locked_until FROM users WHERE id = ?',
      [userId],
      (err, user) => {
        if (err) return reject(err);
        if (!user) return resolve({ locked: false });

        if (user.locked_until) {
          const lockoutEnd = new Date(user.locked_until);
          const now = new Date();

          if (now < lockoutEnd) {
            const remainingMinutes = Math.ceil((lockoutEnd - now) / 60000);
            return resolve({
              locked: true,
              remainingMinutes,
              message: `Account locked. Try again in ${remainingMinutes} minutes.`
            });
          } else {
            // Lockout expired, clear it
            db.run('UPDATE users SET locked_until = NULL, failed_login_attempts = 0 WHERE id = ?', [userId]);
            return resolve({ locked: false });
          }
        }

        resolve({ locked: false });
      }
    );
  });
}

/**
 * Record failed login attempt
 */
async function recordFailedLogin(username, ip, userAgent) {
  try {
    // Log to audit
    await SecurityAuditLogger.logLoginFailure(username, 'Invalid credentials', { ip, userAgent });

    // Get user ID
    const user = await new Promise((resolve, reject) => {
      db.get('SELECT id, failed_login_attempts FROM users WHERE username = ? OR email = ?', [username, username], (err, row) => {
        if (err) reject(err);
        else resolve(row);
      });
    });

    if (!user) return;

    const failedAttempts = (user.failed_login_attempts || 0) + 1;

    // Update failed attempts
    await new Promise((resolve, reject) => {
      db.run(
        'UPDATE users SET failed_login_attempts = ?, last_failed_login = ? WHERE id = ?',
        [failedAttempts, new Date().toISOString(), user.id],
        (err) => err ? reject(err) : resolve()
      );
    });

    // Check if lockout threshold reached
    if (failedAttempts >= ACCOUNT_LOCKOUT.maxFailedAttempts) {
      const lockUntil = new Date(Date.now() + ACCOUNT_LOCKOUT.lockoutDuration).toISOString();
      
      await new Promise((resolve, reject) => {
        db.run(
          'UPDATE users SET locked_until = ? WHERE id = ?',
          [lockUntil, user.id],
          (err) => err ? reject(err) : resolve()
        );
      });

      await SecurityAuditLogger.logAccountLockout(user.id, { 
        ip, 
        userAgent, 
        failedAttempts 
      });

      logger.warn(`Account locked for user ${username} after ${failedAttempts} failed attempts`);
    }
  } catch (error) {
    logger.error('Error recording failed login:', error);
  }
}

/**
 * Clear failed login attempts on successful login
 */
async function clearFailedAttempts(userId) {
  return new Promise((resolve, reject) => {
    db.run(
      'UPDATE users SET failed_login_attempts = 0, last_failed_login = NULL WHERE id = ?',
      [userId],
      (err) => err ? reject(err) : resolve()
    );
  });
}

/**
 * Check if password has expired
 */
async function checkPasswordExpiry(userId) {
  if (!PASSWORD_EXPIRY.enabled) {
    return { expired: false, warning: false };
  }

  return new Promise((resolve, reject) => {
    db.get(
      'SELECT password_changed_at, password_expires_at FROM users WHERE id = ?',
      [userId],
      (err, user) => {
        if (err) return reject(err);
        if (!user) return resolve({ expired: false, warning: false });

        const now = new Date();
        let expiryDate;

        if (user.password_expires_at) {
          expiryDate = new Date(user.password_expires_at);
        } else if (user.password_changed_at) {
          expiryDate = new Date(user.password_changed_at);
          expiryDate.setDate(expiryDate.getDate() + PASSWORD_EXPIRY.expiryDays);
        } else {
          // No password change date, set expiry from now
          expiryDate = new Date();
          expiryDate.setDate(expiryDate.getDate() + PASSWORD_EXPIRY.expiryDays);
        }

        const daysUntilExpiry = Math.ceil((expiryDate - now) / (24 * 60 * 60 * 1000));

        if (daysUntilExpiry <= 0) {
          return resolve({
            expired: true,
            warning: false,
            message: 'Your password has expired. Please change it to continue.',
            gracePeriodDays: PASSWORD_EXPIRY.gracePeriodDays
          });
        }

        if (daysUntilExpiry <= PASSWORD_EXPIRY.warningDays) {
          return resolve({
            expired: false,
            warning: true,
            daysRemaining: daysUntilExpiry,
            message: `Your password will expire in ${daysUntilExpiry} days. Please change it soon.`
          });
        }

        resolve({ expired: false, warning: false });
      }
    );
  });
}

/**
 * Update password expiry date
 */
async function updatePasswordExpiry(userId) {
  if (!PASSWORD_EXPIRY.enabled) return;

  const now = new Date();
  const expiryDate = new Date(now);
  expiryDate.setDate(expiryDate.getDate() + PASSWORD_EXPIRY.expiryDays);

  return new Promise((resolve, reject) => {
    db.run(
      'UPDATE users SET password_changed_at = ?, password_expires_at = ? WHERE id = ?',
      [now.toISOString(), expiryDate.toISOString(), userId],
      (err) => err ? reject(err) : resolve()
    );
  });
}

/**
 * Middleware: Check account lockout before authentication
 */
const enforceAccountLockout = async (req, res, next) => {
  const { username } = req.body;
  
  if (!username) {
    return next();
  }

  try {
    // Get user
    const user = await new Promise((resolve, reject) => {
      db.get('SELECT id FROM users WHERE username = ? OR email = ?', [username, username], (err, row) => {
        if (err) reject(err);
        else resolve(row);
      });
    });

    if (!user) {
      return next(); // User doesn't exist, let auth handle it
    }

    // Check lockout
    const lockoutStatus = await checkAccountLockout(user.id);
    
    if (lockoutStatus.locked) {
      return res.status(423).json({
        error: lockoutStatus.message,
        remainingMinutes: lockoutStatus.remainingMinutes,
        locked: true
      });
    }

    next();
  } catch (error) {
    logger.error('Account lockout check error:', error);
    next();
  }
};

/**
 * Middleware: Check password expiry after authentication
 */
const enforcePasswordExpiry = async (req, res, next) => {
  if (!req.user || !req.user.userId) {
    return next();
  }

  try {
    const expiryStatus = await checkPasswordExpiry(req.user.userId);

    if (expiryStatus.expired) {
      return res.status(403).json({
        error: expiryStatus.message,
        passwordExpired: true,
        gracePeriodDays: expiryStatus.gracePeriodDays,
        requirePasswordChange: true
      });
    }

    if (expiryStatus.warning) {
      // Add warning header but allow request
      res.setHeader('X-Password-Expiry-Warning', expiryStatus.message);
      res.setHeader('X-Password-Days-Remaining', expiryStatus.daysRemaining.toString());
    }

    next();
  } catch (error) {
    logger.error('Password expiry check error:', error);
    next();
  }
};

/**
 * Manage active sessions
 */
async function createSession(userId, token, req) {
  const ip = req.ip || req.headers['x-forwarded-for'] || req.connection.remoteAddress;
  const userAgent = req.headers['user-agent'];
  const expiresAt = new Date(Date.now() + SESSION_POLICY.absoluteTimeout);

  // Check concurrent sessions
  const activeSessions = await new Promise((resolve, reject) => {
    db.all(
      'SELECT COUNT(*) as count FROM active_sessions WHERE user_id = ? AND expires_at > ?',
      [userId, new Date().toISOString()],
      (err, rows) => err ? reject(err) : resolve(rows[0].count)
    );
  });

  if (activeSessions >= SESSION_POLICY.maxConcurrentSessions) {
    // Remove oldest session
    await new Promise((resolve, reject) => {
      db.run(
        'DELETE FROM active_sessions WHERE id IN (SELECT id FROM active_sessions WHERE user_id = ? ORDER BY last_activity ASC LIMIT 1)',
        [userId],
        (err) => err ? reject(err) : resolve()
      );
    });
  }

  // Create new session
  return new Promise((resolve, reject) => {
    db.run(
      'INSERT INTO active_sessions (user_id, session_token, ip_address, user_agent, expires_at) VALUES (?, ?, ?, ?, ?)',
      [userId, token, ip, userAgent, expiresAt.toISOString()],
      (err) => err ? reject(err) : resolve()
    );
  });
}

/**
 * Update session activity
 */
async function updateSessionActivity(token) {
  return new Promise((resolve, reject) => {
    db.run(
      'UPDATE active_sessions SET last_activity = ? WHERE session_token = ?',
      [new Date().toISOString(), token],
      (err) => err ? reject(err) : resolve()
    );
  });
}

/**
 * Cleanup expired sessions
 */
async function cleanupExpiredSessions() {
  return new Promise((resolve, reject) => {
    db.run(
      'DELETE FROM active_sessions WHERE expires_at < ?',
      [new Date().toISOString()],
      function(err) {
        if (err) reject(err);
        else {
          if (this.changes > 0) {
            logger.info(`Cleaned up ${this.changes} expired sessions`);
          }
          resolve(this.changes);
        }
      }
    );
  });
}

// Run session cleanup every hour
setInterval(cleanupExpiredSessions, 60 * 60 * 1000);

module.exports = {
  checkAccountLockout,
  recordFailedLogin,
  clearFailedAttempts,
  checkPasswordExpiry,
  updatePasswordExpiry,
  enforceAccountLockout,
  enforcePasswordExpiry,
  createSession,
  updateSessionActivity,
  cleanupExpiredSessions
};
Initial commit: StreamFlow IPTV platform 2025-12-17 00:42:43 +00:00			`/**`
			`* Enhanced Security Middleware`
			`* Implements account lockout, password expiry, and session management`
			`*/`

			`const { db } = require('../database/db');`
			`const { ACCOUNT_LOCKOUT, PASSWORD_EXPIRY, SESSION_POLICY } = require('../utils/passwordPolicy');`
			`const SecurityAuditLogger = require('../utils/securityAudit');`
			`const logger = require('../utils/logger');`

			`/**`
			`* Check if account is locked`
			`*/`
			`async function checkAccountLockout(userId) {`
			`return new Promise((resolve, reject) => {`
			`db.get(`
			`'SELECT locked_until FROM users WHERE id = ?',`
			`[userId],`
			`(err, user) => {`
			`if (err) return reject(err);`
			`if (!user) return resolve({ locked: false });`

			`if (user.locked_until) {`
			`const lockoutEnd = new Date(user.locked_until);`
			`const now = new Date();`

			`if (now < lockoutEnd) {`
			`const remainingMinutes = Math.ceil((lockoutEnd - now) / 60000);`
			`return resolve({`
			`locked: true,`
			`remainingMinutes,`
			message: `Account locked. Try again in ${remainingMinutes} minutes.`
			`});`
			`} else {`
			`// Lockout expired, clear it`
			`db.run('UPDATE users SET locked_until = NULL, failed_login_attempts = 0 WHERE id = ?', [userId]);`
			`return resolve({ locked: false });`
			`}`
			`}`

			`resolve({ locked: false });`
			`}`
			`);`
			`});`
			`}`

			`/**`
			`* Record failed login attempt`
			`*/`
			`async function recordFailedLogin(username, ip, userAgent) {`
			`try {`
			`// Log to audit`
			`await SecurityAuditLogger.logLoginFailure(username, 'Invalid credentials', { ip, userAgent });`

			`// Get user ID`
			`const user = await new Promise((resolve, reject) => {`
			`db.get('SELECT id, failed_login_attempts FROM users WHERE username = ? OR email = ?', [username, username], (err, row) => {`
			`if (err) reject(err);`
			`else resolve(row);`
			`});`
			`});`

			`if (!user) return;`

			`const failedAttempts = (user.failed_login_attempts \|\| 0) + 1;`

			`// Update failed attempts`
			`await new Promise((resolve, reject) => {`
			`db.run(`
			`'UPDATE users SET failed_login_attempts = ?, last_failed_login = ? WHERE id = ?',`
			`[failedAttempts, new Date().toISOString(), user.id],`
			`(err) => err ? reject(err) : resolve()`
			`);`
			`});`

			`// Check if lockout threshold reached`
			`if (failedAttempts >= ACCOUNT_LOCKOUT.maxFailedAttempts) {`
			`const lockUntil = new Date(Date.now() + ACCOUNT_LOCKOUT.lockoutDuration).toISOString();`

			`await new Promise((resolve, reject) => {`
			`db.run(`
			`'UPDATE users SET locked_until = ? WHERE id = ?',`
			`[lockUntil, user.id],`
			`(err) => err ? reject(err) : resolve()`
			`);`
			`});`

			`await SecurityAuditLogger.logAccountLockout(user.id, {`
			`ip,`
			`userAgent,`
			`failedAttempts`
			`});`

			logger.warn(`Account locked for user ${username} after ${failedAttempts} failed attempts`);
			`}`
			`} catch (error) {`
			`logger.error('Error recording failed login:', error);`
			`}`
			`}`

			`/**`
			`* Clear failed login attempts on successful login`
			`*/`
			`async function clearFailedAttempts(userId) {`
			`return new Promise((resolve, reject) => {`
			`db.run(`
			`'UPDATE users SET failed_login_attempts = 0, last_failed_login = NULL WHERE id = ?',`
			`[userId],`
			`(err) => err ? reject(err) : resolve()`
			`);`
			`});`
			`}`

			`/**`
			`* Check if password has expired`
			`*/`
			`async function checkPasswordExpiry(userId) {`
			`if (!PASSWORD_EXPIRY.enabled) {`
			`return { expired: false, warning: false };`
			`}`

			`return new Promise((resolve, reject) => {`
			`db.get(`
			`'SELECT password_changed_at, password_expires_at FROM users WHERE id = ?',`
			`[userId],`
			`(err, user) => {`
			`if (err) return reject(err);`
			`if (!user) return resolve({ expired: false, warning: false });`

			`const now = new Date();`
			`let expiryDate;`

			`if (user.password_expires_at) {`
			`expiryDate = new Date(user.password_expires_at);`
			`} else if (user.password_changed_at) {`
			`expiryDate = new Date(user.password_changed_at);`
			`expiryDate.setDate(expiryDate.getDate() + PASSWORD_EXPIRY.expiryDays);`
			`} else {`
			`// No password change date, set expiry from now`
			`expiryDate = new Date();`
			`expiryDate.setDate(expiryDate.getDate() + PASSWORD_EXPIRY.expiryDays);`
			`}`

			`const daysUntilExpiry = Math.ceil((expiryDate - now) / (24 * 60 * 60 * 1000));`

			`if (daysUntilExpiry <= 0) {`
			`return resolve({`
			`expired: true,`
			`warning: false,`
			`message: 'Your password has expired. Please change it to continue.',`
			`gracePeriodDays: PASSWORD_EXPIRY.gracePeriodDays`
			`});`
			`}`

			`if (daysUntilExpiry <= PASSWORD_EXPIRY.warningDays) {`
			`return resolve({`
			`expired: false,`
			`warning: true,`
			`daysRemaining: daysUntilExpiry,`
			message: `Your password will expire in ${daysUntilExpiry} days. Please change it soon.`
			`});`
			`}`

			`resolve({ expired: false, warning: false });`
			`}`
			`);`
			`});`
			`}`

			`/**`
			`* Update password expiry date`
			`*/`
			`async function updatePasswordExpiry(userId) {`
			`if (!PASSWORD_EXPIRY.enabled) return;`

			`const now = new Date();`
			`const expiryDate = new Date(now);`
			`expiryDate.setDate(expiryDate.getDate() + PASSWORD_EXPIRY.expiryDays);`

			`return new Promise((resolve, reject) => {`
			`db.run(`
			`'UPDATE users SET password_changed_at = ?, password_expires_at = ? WHERE id = ?',`
			`[now.toISOString(), expiryDate.toISOString(), userId],`
			`(err) => err ? reject(err) : resolve()`
			`);`
			`});`
			`}`

			`/**`
			`* Middleware: Check account lockout before authentication`
			`*/`
			`const enforceAccountLockout = async (req, res, next) => {`
			`const { username } = req.body;`

			`if (!username) {`
			`return next();`
			`}`

			`try {`
			`// Get user`
			`const user = await new Promise((resolve, reject) => {`
			`db.get('SELECT id FROM users WHERE username = ? OR email = ?', [username, username], (err, row) => {`
			`if (err) reject(err);`
			`else resolve(row);`
			`});`
			`});`

			`if (!user) {`
			`return next(); // User doesn't exist, let auth handle it`
			`}`

			`// Check lockout`
			`const lockoutStatus = await checkAccountLockout(user.id);`

			`if (lockoutStatus.locked) {`
			`return res.status(423).json({`
			`error: lockoutStatus.message,`
			`remainingMinutes: lockoutStatus.remainingMinutes,`
			`locked: true`
			`});`
			`}`

			`next();`
			`} catch (error) {`
			`logger.error('Account lockout check error:', error);`
			`next();`
			`}`
			`};`

			`/**`
			`* Middleware: Check password expiry after authentication`
			`*/`
			`const enforcePasswordExpiry = async (req, res, next) => {`
			`if (!req.user \|\| !req.user.userId) {`
			`return next();`
			`}`

			`try {`
			`const expiryStatus = await checkPasswordExpiry(req.user.userId);`

			`if (expiryStatus.expired) {`
			`return res.status(403).json({`
			`error: expiryStatus.message,`
			`passwordExpired: true,`
			`gracePeriodDays: expiryStatus.gracePeriodDays,`
			`requirePasswordChange: true`
			`});`
			`}`

			`if (expiryStatus.warning) {`
			`// Add warning header but allow request`
			`res.setHeader('X-Password-Expiry-Warning', expiryStatus.message);`
			`res.setHeader('X-Password-Days-Remaining', expiryStatus.daysRemaining.toString());`
			`}`

			`next();`
			`} catch (error) {`
			`logger.error('Password expiry check error:', error);`
			`next();`
			`}`
			`};`

			`/**`
			`* Manage active sessions`
			`*/`
			`async function createSession(userId, token, req) {`
			`const ip = req.ip \|\| req.headers['x-forwarded-for'] \|\| req.connection.remoteAddress;`
			`const userAgent = req.headers['user-agent'];`
			`const expiresAt = new Date(Date.now() + SESSION_POLICY.absoluteTimeout);`

			`// Check concurrent sessions`
			`const activeSessions = await new Promise((resolve, reject) => {`
			`db.all(`
			`'SELECT COUNT(*) as count FROM active_sessions WHERE user_id = ? AND expires_at > ?',`
			`[userId, new Date().toISOString()],`
			`(err, rows) => err ? reject(err) : resolve(rows[0].count)`
			`);`
			`});`

			`if (activeSessions >= SESSION_POLICY.maxConcurrentSessions) {`
			`// Remove oldest session`
			`await new Promise((resolve, reject) => {`
			`db.run(`
			`'DELETE FROM active_sessions WHERE id IN (SELECT id FROM active_sessions WHERE user_id = ? ORDER BY last_activity ASC LIMIT 1)',`
			`[userId],`
			`(err) => err ? reject(err) : resolve()`
			`);`
			`});`
			`}`

			`// Create new session`
			`return new Promise((resolve, reject) => {`
			`db.run(`
			`'INSERT INTO active_sessions (user_id, session_token, ip_address, user_agent, expires_at) VALUES (?, ?, ?, ?, ?)',`
			`[userId, token, ip, userAgent, expiresAt.toISOString()],`
			`(err) => err ? reject(err) : resolve()`
			`);`
			`});`
			`}`

			`/**`
			`* Update session activity`
			`*/`
			`async function updateSessionActivity(token) {`
			`return new Promise((resolve, reject) => {`
			`db.run(`
			`'UPDATE active_sessions SET last_activity = ? WHERE session_token = ?',`
			`[new Date().toISOString(), token],`
			`(err) => err ? reject(err) : resolve()`
			`);`
			`});`
			`}`

			`/**`
			`* Cleanup expired sessions`
			`*/`
			`async function cleanupExpiredSessions() {`
			`return new Promise((resolve, reject) => {`
			`db.run(`
			`'DELETE FROM active_sessions WHERE expires_at < ?',`
			`[new Date().toISOString()],`
			`function(err) {`
			`if (err) reject(err);`
			`else {`
			`if (this.changes > 0) {`
			logger.info(`Cleaned up ${this.changes} expired sessions`);
			`}`
			`resolve(this.changes);`
			`}`
			`}`
			`);`
			`});`
			`}`

			`// Run session cleanup every hour`
			`setInterval(cleanupExpiredSessions, 60 * 60 * 1000);`

			`module.exports = {`
			`checkAccountLockout,`
			`recordFailedLogin,`
			`clearFailedAttempts,`
			`checkPasswordExpiry,`
			`updatePasswordExpiry,`
			`enforceAccountLockout,`
			`enforcePasswordExpiry,`
			`createSession,`
			`updateSessionActivity,`
			`cleanupExpiredSessions`
			`};`