Captive Ghost

# Expert User-End Security Portal
# Created by Michael Errington

require 'sinatra'
require 'sinatra/activerecord'
require 'bcrypt'
require 'logger'
require 'sqlite3'
require 'dotenv/load'
require 'rack/protection'
require 'rack/session/dalli'
require 'securerandom'
require 'openssl'
require 'rbnacl/libsodium'
require 'jwt'
require 'ipaddr'

# Configure SQLite as the database
configure do
set :database, {
    adapter: 'sqlite3',
    database: 'db/captive_portal.db'
}
end

# Define the User model with advanced security
class User < ActiveRecord::Base
validates :username, presence: true, uniqueness: true, format: {
    with: /\A[a-zA-Z0-9_]+\z/,
    message: 'can only contain letters, numbers, and underscores'
}
validates :password_hash, presence: true

def authenticate(password)
BCrypt::Password.new(self.password_hash) == password
end

def password = (new_password)
self.password_hash = BCrypt::Password.create(new_password)
end
end

# Configure advanced logging with log rotation
logger = Logger.new('log/captive_portal.log', 'weekly')
logger.level = Logger::INFO

# Configure security middleware
use Rack::Protection
use Rack::Session::Dalli, memcache_server: 'localhost:11211'

# Load settings
configure do
set :server_port, 4567
set :log_file, 'log/captive_portal.log'
set :session_timeout, 60 * 60 * 2 # 2 hours
set :min_password_length, 12
set :session_secret, ENV['SESSION_SECRET'] || SecureRandom.hex(64)
set :encryption_key, ENV['ENCRYPTION_KEY'] || SecureRandom.hex(32)
set :jwt_secret, ENV['JWT_SECRET'] || SecureRandom.hex(64)
end

# Main application
class CaptivePortalApp < Sinatra::Base
enable :sessions

get '/' do
erb :welcome
end

post '/login' do
username = params['username']
password = params['password']

user = User.find_by(username: username)

if user && user.authenticate(password)
# Encrypt the user ID with AES encryption
aes = OpenSSL::Cipher::AES.new(256, :CBC)
aes.encrypt
aes.key = settings.encryption_key
encrypted_user_id = aes.update(user.id.to_s) + aes.final

# Create a Fernet token for secure session management
token = RbNaCl::SimpleBox.from_secret_key(settings.encryption_key).encrypt(encrypted_user_id)

# Generate a JWT token with user information
jwt_payload = {
    user_id: user.id,
    username: user.username
}
jwt_token = JWT.encode(jwt_payload, settings.jwt_secret, 'HS256')

# Store IP address in the session for added security
session[:ip_address] = request.ip

session[:token] = token
session[:jwt_token] = jwt_token
logger.info("User '#{user.username
}' logged in from IP: #{request.ip
}.")
redirect '/welcome'
else
@error = 'Invalid credentials'
logger.warn("Failed login attempt for '#{username
}' from IP: #{request.ip
}.")
erb :welcome
end
end

get '/welcome' do
authenticate_user
erb :welcome
end

private

def authenticate_user
token = session[:token]
jwt_token = session[:jwt_token]
halt 401 unless token && jwt_token && request.ip == session[:ip_address]

# Decrypt the token and retrieve the user ID with Fernet and AES decryption
decrypted_user_id = RbNaCl::SimpleBox.from_secret_key(settings.encryption_key).decrypt(token)
aes = OpenSSL::Cipher::AES.new(256, :CBC)
aes.decrypt
aes.key = settings.encryption_key
user_id = aes.update(decrypted_user_id) + aes.final

# Verify JWT token and user ID
jwt_payload = JWT.decode(jwt_token, settings.jwt_secret, true, {
algorithm: 'HS256'
})[0]
halt 401 unless jwt_payload['user_id'] == user_id.to_i

session[:user_id] = user_id.to_i
end
end

# Run migrations for creating the users table
ActiveRecord::Migration.verbose = false

class CreateUsers < ActiveRecord::Migration[6.1]
def change
create_table :users do |table|
table.column :username, :string
table.column :password_hash, :string
end
end
end

CreateUsers.new.change

# Run the Sinatra application
CaptivePortalApp.run! if __FILE__ == $0