SecureBitChat/securebit-chat
1
0
Fork 0
Code Issues Pull Requests Actions 4 Packages Projects Releases Wiki Activity

feat: Enhanced demo mode security and vulnerability fixes

Browse Source 
- **Fixed demo mode timing attack vulnerability** - Added strict rate limiting and user fingerprinting
- **Eliminated replay attack vectors** - Implemented preimage tracking and expiration validation
- **Enhanced key reuse protection** - Added cryptographic validation and session isolation
- **Strengthened free tier abuse prevention** - Multi-layer cooldown system with global limits

- **Secure user fingerprinting** - Browser-based identification without privacy invasion
- **Global session limits** - Maximum 10 concurrent demo sessions across all users
- **Per-user daily limits** - 3 demo sessions per 24 hours with smart cooldown
- **Session completion tracking** - Prevents rapid reconnection abuse
- **Enhanced preimage generation** - Timestamped, versioned, and entropy-validated

- **Configurable security layers** - Individual toggle for encryption, obfuscation, and traffic features
- **Debug mode controls** - `window.DEBUG_MODE` for detailed logging and diagnostics
- **Emergency security disable** - Graceful fallback when advanced features cause issues
- **Vulnerability testing support** - Controlled security layer bypass for penetration testing

- **Cross-session compatibility** - Works seamlessly with both paid and free sessions
- **Real-time UI updates** - Synchronized timer display across all components
- **Session state management** - Automatic cleanup and notification system
- **Payment integration** - Smooth transition between demo and paid sessions

- **Layered security architecture** - 7+ configurable security features with independent controls
- **Traffic analysis protection** - Advanced obfuscation with fake traffic and packet padding
- **Connection state monitoring** - Enhanced logging for security audit and debugging
- **Fallback mechanisms** - Robust error handling with security-first degradation

- **Structured security logs** - Detailed audit trail for security events
- **Performance monitoring** - Connection state and encryption layer metrics
- **Attack detection logging** - Comprehensive tracking of security violations
- **Development diagnostics** - Enhanced debugging for faster development cycles

- Refactored `PayPerSessionManager` with enhanced security controls
- Added `generateUserFingerprint()` with privacy-preserving identification
- Implemented `checkDemoSessionLimits()` with multi-tier validation
- Enhanced `EnhancedSecureWebRTCManager` with configurable security layers
- Added emergency security disable functionality for testing environments
- Improved session timer with cross-component synchronization

**Breaking Changes:** None - All changes are backward compatible
**Security Impact:** High - Eliminates critical vulnerabilities in free tier
**Testing Impact:** Significantly improved - New debug modes and security layer controls
This commit is contained in:
lockbitchat
2025-08-14 23:34:54 -04:00
parent 19e3047282
commit 5437bef9c5
7 changed files with 2211 additions and 901 deletions
Download Patch File Download Diff File Expand all files Collapse all files

571
index.html
View File

@@ -49,6 +49,13 @@
<link rel="stylesheet" href="src/styles/animations.css">
<link rel="stylesheet" href="src/styles/components.css">
<script>
// Global logging and function settings
window.DEBUG_MODE = true;
// Fake function settings (for stability)
window.DISABLE_FAKE_TRAFFIC = false; // Set true to disable fake messages
window.DISABLE_DECOY_CHANNELS = false; // Set true to disable decoy channels
// Enhanced icon loading fallback
document.addEventListener('DOMContentLoaded', function() {
// Check if Font Awesome loaded properly
@@ -1088,243 +1095,6 @@
);
}
// Enhanced Header Component with verification status
const EnhancedMinimalHeader = ({ status, fingerprint, verificationCode, onDisconnect, isConnected, securityLevel, sessionManager, sessionTimeLeft }) => {
const getStatusConfig = () => {
switch (status) {
case 'connected':
return {
text: 'Connected',
className: 'status-connected',
badgeClass: 'bg-green-500/10 text-green-400 border-green-500/20'
};
case 'verifying':
return {
text: 'Verifying...',
className: 'status-verifying',
badgeClass: 'bg-purple-500/10 text-purple-400 border-purple-500/20'
};
case 'connecting':
return {
text: 'Connecting...',
className: 'status-connecting',
badgeClass: 'bg-blue-500/10 text-blue-400 border-blue-500/20'
};
case 'retrying':
return {
text: 'Reconnecting...',
className: 'status-connecting',
badgeClass: 'bg-yellow-500/10 text-yellow-400 border-yellow-500/20'
};
case 'failed':
return {
text: 'Error',
className: 'status-failed',
badgeClass: 'bg-red-500/10 text-red-400 border-red-500/20'
};
case 'reconnecting':
return {
text: 'Reconnecting...',
className: 'status-connecting',
badgeClass: 'bg-yellow-500/10 text-yellow-400 border-yellow-500/20'
};
case 'peer_disconnected':
return {
text: 'Peer disconnected',
className: 'status-failed',
badgeClass: 'bg-orange-500/10 text-orange-400 border-orange-500/20'
};
default:
return {
text: 'Not connected',
className: 'status-disconnected',
badgeClass: 'bg-gray-500/10 text-gray-400 border-gray-500/20'
};
}
};
const config = getStatusConfig();
return React.createElement('header', {
className: 'header-minimal sticky top-0 z-50'
}, [
React.createElement('div', {
key: 'container',
className: 'max-w-7xl mx-auto px-4 sm:px-6 lg:px-8'
}, [
React.createElement('div', {
key: 'content',
className: 'flex items-center justify-between h-16'
}, [
// Logo and Title - Mobile Responsive
React.createElement('div', {
key: 'logo-section',
className: 'flex items-center space-x-2 sm:space-x-3'
}, [
React.createElement('div', {
key: 'logo',
className: 'icon-container w-8 h-8 sm:w-10 sm:h-10'
}, [
React.createElement('i', {
className: 'fas fa-shield-halved accent-orange text-sm sm:text-base'
})
]),
React.createElement('div', {
key: 'title-section'
}, [
React.createElement('h1', {
key: 'title',
className: 'text-lg sm:text-xl font-semibold text-primary'
}, 'SecureBit.chat'),
React.createElement('p', {
key: 'subtitle',
className: 'text-xs sm:text-sm text-muted hidden sm:block'
}, 'End-to-end freedom')
])
]),
// Status and Controls - Mobile Responsive
React.createElement('div', {
key: 'status-section',
className: 'flex items-center space-x-2 sm:space-x-3'
}, [
// Session Timer — show only if there is an active session
sessionManager?.hasActiveSession() && React.createElement(SessionTimer, {
key: 'session-timer',
timeLeft: sessionTimeLeft,
sessionType: sessionManager.currentSession?.type || 'unknown'
}),
// Security Level Indicator - Hidden on mobile, shown on tablet+ (Clickable)
securityLevel && React.createElement('div', {
key: 'security-level',
className: 'hidden md:flex items-center space-x-2 cursor-pointer hover:opacity-80 transition-opacity duration-200',
onClick: () => {
if (securityLevel.verificationResults) {
console.log('Security verification results:', securityLevel.verificationResults);
alert('Security check details:\n\n' +
Object.entries(securityLevel.verificationResults)
.map(([key, result]) => `${key}: ${result.passed ? '✅' : '❌'} ${result.details}`)
.join('\n')
);
}
},
title: 'Click to view security details'
}, [
React.createElement('div', {
key: 'security-icon',
className: `w-6 h-6 rounded-full flex items-center justify-center ${
securityLevel.color === 'green' ? 'bg-green-500/20' :
securityLevel.color === 'yellow' ? 'bg-yellow-500/20' : 'bg-red-500/20'
}`
}, [
React.createElement('i', {
className: `fas fa-shield-alt text-xs ${
securityLevel.color === 'green' ? 'text-green-400' :
securityLevel.color === 'yellow' ? 'text-yellow-400' : 'text-red-400'
}`
})
]),
React.createElement('div', {
key: 'security-info',
className: 'flex flex-col'
}, [
React.createElement('div', {
key: 'security-level-text',
className: 'text-xs font-medium text-primary'
}, `${securityLevel.level} (${securityLevel.score}%)`),
securityLevel.details && React.createElement('div', {
key: 'security-details',
className: 'text-xs text-muted mt-1 hidden lg:block'
}, securityLevel.details),
React.createElement('div', {
key: 'security-progress',
className: 'w-16 h-1 bg-gray-600 rounded-full overflow-hidden'
}, [
React.createElement('div', {
key: 'progress-bar',
className: `h-full transition-all duration-500 ${
securityLevel.color === 'green' ? 'bg-green-400' :
securityLevel.color === 'yellow' ? 'bg-yellow-400' : 'bg-red-400'
}`,
style: { width: `${securityLevel.score}%` }
})
])
])
]),
// Mobile Security Indicator - Only icon on mobile (Clickable)
securityLevel && React.createElement('div', {
key: 'mobile-security',
className: 'md:hidden flex items-center'
}, [
React.createElement('div', {
key: 'mobile-security-icon',
className: `w-8 h-8 rounded-full flex items-center justify-center cursor-pointer hover:opacity-80 transition-opacity duration-200 ${
securityLevel.color === 'green' ? 'bg-green-500/20' :
securityLevel.color === 'yellow' ? 'bg-yellow-500/20' : 'bg-red-500/20'
}`,
title: `${securityLevel.level} (${securityLevel.score}%) - Нажмите для деталей`,
onClick: () => {
if (securityLevel.verificationResults) {
console.log('Security verification results:', securityLevel.verificationResults);
alert('Детали проверки безопасности:\n\n' +
Object.entries(securityLevel.verificationResults)
.map(([key, result]) => `${key}: ${result.passed ? '✅' : '❌'} ${result.details}`)
.join('\n')
);
}
}
}, [
React.createElement('i', {
className: `fas fa-shield-alt text-sm ${
securityLevel.color === 'green' ? 'text-green-400' :
securityLevel.color === 'yellow' ? 'text-yellow-400' : 'text-red-400'
}`
})
])
]),
// Status Badge - Compact on mobile
React.createElement('div', {
key: 'status-badge',
className: `px-2 sm:px-3 py-1.5 rounded-lg border ${config.badgeClass} flex items-center space-x-1 sm:space-x-2`
}, [
React.createElement('span', {
key: 'status-dot',
className: `status-dot ${config.className}`
}),
React.createElement('span', {
key: 'status-text',
className: 'text-xs sm:text-sm font-medium'
}, config.text)
]),
// Disconnect Button - Icon only on mobile
isConnected && React.createElement('button', {
key: 'disconnect-btn',
onClick: onDisconnect,
className: 'p-1.5 sm:px-3 sm:py-1.5 bg-red-500/10 hover:bg-red-500/20 text-red-400 border border-red-500/20 rounded-lg transition-all duration-200 text-sm'
}, [
React.createElement('i', {
key: 'disconnect-icon',
className: 'fas fa-power-off sm:mr-2'
}),
React.createElement('span', {
key: 'disconnect-text',
className: 'hidden sm:inline'
}, 'Disconnect')
])
])
])
]),
]);
};
// Enhanced Copy Button with better UX
const EnhancedCopyButton = ({ text, className = "", children }) => {
@@ -2251,11 +2021,27 @@
React.createElement(SessionTypeSelector, {
key: 'session-selector',
onSelectType: (sessionType) => {
// Открываем модальное окно оплаты
// Save the selected session type
setSelectedSessionType(sessionType);
console.log('🎯 Session type selected:', sessionType);
// FIX: For demo sessions, we immediately call automatic activation
if (sessionType === 'demo') {
console.log('🎮 Demo session selected, scheduling automatic activation...');
// Delay activation for 2 seconds to stabilize
setTimeout(() => {
if (sessionManager) {
console.log('🚀 Triggering demo session activation from selection...');
handleDemoVerification();
}
}, 2000);
}
// Open a modal payment window
if (typeof window.showPaymentModal === 'function') {
window.showPaymentModal(sessionType);
} else {
// Fallback - показываем информацию о сессии
// Fallback - show session information
console.log('Selected session type:', sessionType);
}
},
@@ -2704,18 +2490,44 @@
const [answerPassword, setAnswerPassword] = React.useState('');
// Pay-per-session state
const [sessionManager] = React.useState(() => new PayPerSessionManager());
const [sessionManager, setSessionManager] = React.useState(null);
const [showPaymentModal, setShowPaymentModal] = React.useState(false);
const [sessionTimeLeft, setSessionTimeLeft] = React.useState(0);
const [pendingSession, setPendingSession] = React.useState(null); // { type, preimage }
const [selectedSessionType, setSelectedSessionType] = React.useState(null); // 'demo', 'basic', 'premium'
// Глобальные функции для доступа к модальным окнам
// Initialize sessionManager after loading modules
React.useEffect(() => {
if (window.PayPerSessionManager && !sessionManager) {
console.log('💰 Initializing PayPerSessionManager...');
const newSessionManager = new window.PayPerSessionManager();
setSessionManager(newSessionManager);
window.sessionManager = newSessionManager;
console.log('✅ PayPerSessionManager initialized successfully');
}
}, [sessionManager]);
// Additional diagnostics for debugging
React.useEffect(() => {
if (sessionManager) {
console.log('🔍 SessionManager state changed:', {
hasActiveSession: sessionManager.hasActiveSession(),
timeLeft: sessionManager.getTimeLeft(),
currentSession: sessionManager.currentSession
});
}
}, [sessionManager]);
// Global functions for accessing modal windows
React.useEffect(() => {
if (!sessionManager) return;
window.showPaymentModal = (sessionType) => {
setShowPaymentModal(true);
// Передаем выбранный тип сессии в модальное окно
// Pass the selected session type to the modal window
if (sessionType) {
// Здесь можно добавить логику для предварительной настройки модального окна
console.log('Opening payment modal for session type:', sessionType);
}
};
@@ -2749,6 +2561,8 @@
// Session time ticker
React.useEffect(() => {
if (!sessionManager) return;
const timer = setInterval(() => {
if (sessionManager.hasActiveSession()) {
setSessionTimeLeft(sessionManager.getTimeLeft());
@@ -2761,6 +2575,8 @@
// Session expiration handler
React.useEffect(() => {
if (!sessionManager) return;
sessionManager.onSessionExpired = () => {
setMessages(prev => [...prev, {
message: '⏰ Session time expired. The connection will be terminated.',
@@ -2771,6 +2587,105 @@
setTimeout(() => handleDisconnect(), 3000);
};
}, [sessionManager]);
// Automatic activation of demo session after successful verification
React.useEffect(() => {
if (!sessionManager) return;
// Listen to demo session verification events
const handleDemoVerification = async () => {
try {
// Check if there is an active demo session
if (sessionManager.hasActiveSession()) {
console.log('✅ Demo session already active');
return;
}
// Diagnose sessionManager state
console.log('🔍 SessionManager state before activation:', {
hasActiveSession: sessionManager.hasActiveSession(),
timeLeft: sessionManager.getTimeLeft(),
currentSession: sessionManager.currentSession
});
console.log('⏳ Demo session verified, waiting for full connection before activation...');
window.pendingDemoActivation = true;
setTimeout(async () => {
if (window.pendingDemoActivation && sessionManager) {
console.log('🚀 Attempting to activate demo session automatically...');
let result = null;
console.log('🔄 Creating new demo session for activation...');
const demoSession = sessionManager.createDemoSessionForActivation();
console.log('🔍 Demo session creation result:', demoSession);
if (!demoSession.success) {
console.log('❌ Failed to create demo session:', demoSession.reason);
return;
}
console.log('✅ Demo session created successfully:', {
preimage: demoSession.preimage.substring(0, 16) + '...',
paymentHash: demoSession.paymentHash.substring(0, 16) + '...',
duration: demoSession.durationMinutes + ' minutes'
});
result = await sessionManager.safeActivateSession(
'demo',
demoSession.preimage,
demoSession.paymentHash
);
if (result && result.success) {
console.log('✅ Demo session activated automatically:', result);
setSessionTimeLeft(sessionManager.getTimeLeft());
setMessages(prev => [...prev, {
message: `🎮 Demo session activated for ${Math.round(result.timeLeft / 60000)} minutes`,
type: 'system',
id: Date.now(),
timestamp: Date.now()
}]);
console.log('🔍 SessionManager state after activation:', {
hasActiveSession: sessionManager.hasActiveSession(),
timeLeft: sessionManager.getTimeLeft(),
currentSession: sessionManager.currentSession
});
window.pendingDemoActivation = false;
} else {
console.log('❌ Failed to activate demo session automatically:', result?.reason || 'Unknown error');
console.log('🔍 SessionManager state after failed activation:', {
hasActiveSession: sessionManager.hasActiveSession(),
timeLeft: sessionManager.getTimeLeft(),
currentSession: sessionManager.currentSession
});
window.pendingDemoActivation = false;
}
}
}, 3000);
} catch (error) {
console.error('❌ Error activating demo session automatically:', error);
}
};
if (connectionStatus === 'connected' && isVerified) {
setTimeout(handleDemoVerification, 1000);
}
if (selectedSessionType === 'demo' && connectionStatus === 'connected' && isVerified) {
console.log('🎯 Demo session created, triggering automatic activation...');
setTimeout(handleDemoVerification, 1000);
}
}, [sessionManager, connectionStatus, isVerified, selectedSessionType]);
const chatMessagesRef = React.useRef(null);
// Scroll down function
@@ -2828,6 +2743,8 @@
setConnectionStatus(status);
if (status === 'connected') {
document.dispatchEvent(new CustomEvent('new-connection'));
setIsVerified(true);
setShowVerification(false);
updateSecurityLevel().catch(console.error);
@@ -2837,6 +2754,16 @@
} else if (status === 'connecting') {
updateSecurityLevel().catch(console.error);
} else if (status === 'disconnected') {
console.log('🔌 Connection disconnected - stopping session timer');
document.dispatchEvent(new CustomEvent('peer-disconnect'));
if (sessionManager && sessionManager.hasActiveSession()) {
sessionManager.resetSession();
setSessionTimeLeft(0);
setHasActiveSession(false);
}
// Complete UI reset on disconnect
setKeyFingerprint('');
setVerificationCode('');
@@ -2844,6 +2771,16 @@
setIsVerified(false);
setShowVerification(false);
} else if (status === 'peer_disconnected') {
console.log('🔌 Peer disconnected - stopping session timer');
document.dispatchEvent(new CustomEvent('peer-disconnect'));
if (sessionManager && sessionManager.hasActiveSession()) {
sessionManager.resetSession();
setSessionTimeLeft(0);
setHasActiveSession(false);
}
// A short delay before clearing to display the status
setTimeout(() => {
setKeyFingerprint('');
@@ -2918,17 +2855,76 @@
handleMessage('🚀 SecureBit.chat Enhanced Edition initialized. Ready to establish a secure connection with ECDH, encrypted exchange, and verification.', 'system');
// Cleanup on page unload
const handleBeforeUnload = () => {
const handleBeforeUnload = (event) => {
if (event.type === 'beforeunload' && !isTabSwitching) {
console.log('🔌 Page unloading (closing tab) - sending disconnect notification');
if (webrtcManagerRef.current && webrtcManagerRef.current.isConnected()) {
try {
webrtcManagerRef.current.sendSystemMessage({
type: 'peer_disconnect',
reason: 'user_disconnect',
timestamp: Date.now()
});
} catch (error) {
console.log('Could not send disconnect notification:', error.message);
}
setTimeout(() => {
if (webrtcManagerRef.current) {
webrtcManagerRef.current.disconnect();
}
}, 100);
} else if (webrtcManagerRef.current) {
webrtcManagerRef.current.disconnect();
}
} else if (isTabSwitching) {
console.log('📱 Tab switching detected - NOT disconnecting');
event.preventDefault();
event.returnValue = '';
}
};
window.addEventListener('beforeunload', handleBeforeUnload);
let isTabSwitching = false;
let tabSwitchTimeout = null;
const handleVisibilityChange = () => {
if (document.visibilityState === 'hidden') {
console.log('📱 Page hidden (tab switch) - keeping connection alive');
isTabSwitching = true;
if (tabSwitchTimeout) {
clearTimeout(tabSwitchTimeout);
}
tabSwitchTimeout = setTimeout(() => {
isTabSwitching = false;
}, 5000);
} else if (document.visibilityState === 'visible') {
console.log('📱 Page visible (tab restored) - connection maintained');
isTabSwitching = false;
if (tabSwitchTimeout) {
clearTimeout(tabSwitchTimeout);
tabSwitchTimeout = null;
}
}
};
document.addEventListener('visibilitychange', handleVisibilityChange);
return () => {
window.removeEventListener('beforeunload', handleBeforeUnload);
document.removeEventListener('visibilitychange', handleVisibilityChange);
if (tabSwitchTimeout) {
clearTimeout(tabSwitchTimeout);
tabSwitchTimeout = null;
}
if (webrtcManagerRef.current) {
console.log('🧹 Cleaning up WebRTC Manager...');
webrtcManagerRef.current.disconnect();
@@ -3222,15 +3218,51 @@
};
const handleSendMessage = async () => {
if (!messageInput.trim() || !webrtcManagerRef.current.isConnected()) {
console.log('🔍 handleSendMessage called:', {
messageInput: messageInput,
messageInputTrimmed: messageInput.trim(),
hasMessageInput: !!messageInput.trim(),
hasWebRTCManager: !!webrtcManagerRef.current,
isConnected: webrtcManagerRef.current?.isConnected(),
connectionStatus: connectionStatus,
isVerified: isVerified
});
if (!messageInput.trim()) {
console.log('❌ No message input to send');
return;
}
if (!webrtcManagerRef.current) {
console.log('❌ WebRTC Manager not available');
return;
}
if (!webrtcManagerRef.current.isConnected()) {
console.log('❌ WebRTC Manager not connected');
return;
}
try {
await webrtcManagerRef.current.sendSecureMessage(messageInput);
console.log('📤 Attempting to send message:', messageInput.substring(0, 100));
// Add the message to local messages immediately (sent message)
const sentMessage = {
message: messageInput.trim(),
type: 'sent',
id: Date.now() + Math.random(),
timestamp: Date.now()
};
setMessages(prev => [...prev, sentMessage]);
// Use sendMessage for simple text messages instead of sendSecureMessage
await webrtcManagerRef.current.sendMessage(messageInput);
console.log('✅ Message sent successfully');
setMessageInput('');
setTimeout(scrollToBottom, 50);
} catch (error) {
console.error('❌ Error sending message:', error);
setMessages(prev => [...prev, {
message: `❌ Sending error: ${error.message}`,
type: 'system',
@@ -3501,5 +3533,50 @@ if (typeof initializeApp === 'function') {
console.error('❌ Module loading error:', error);
}
</script>
<script>
window.forceUpdateHeader = (timeLeft, sessionType) => {
if (window.DEBUG_MODE) {
console.log('🎯 forceUpdateHeader called:', { timeLeft, sessionType });
}
document.dispatchEvent(new CustomEvent('force-header-update', {
detail: { timeLeft, sessionType }
}));
if (window.sessionManager && window.sessionManager.forceUpdateTimer) {
window.sessionManager.forceUpdateTimer();
}
};
window.updateSessionTimer = (timeLeft, sessionType) => {
if (window.DEBUG_MODE) {
console.log('🎯 updateSessionTimer called:', { timeLeft, sessionType });
}
document.dispatchEvent(new CustomEvent('session-timer-update', {
detail: { timeLeft, sessionType }
}));
};
document.addEventListener('session-activated', (event) => {
if (window.DEBUG_MODE) {
console.log('🎯 Session activation event received:', event.detail);
}
if (window.updateSessionTimer) {
window.updateSessionTimer(event.detail.timeLeft, event.detail.sessionType);
}
if (window.forceUpdateHeader) {
window.forceUpdateHeader(event.detail.timeLeft, event.detail.sessionType);
}
});
if (window.DEBUG_MODE) {
console.log('✅ Global timer management functions loaded');
}
</script>
</body>
</html>