{"id":49711139,"url":"https://github.com/roastedbeans/certification-authority-next","last_synced_at":"2026-05-08T14:26:48.864Z","repository":{"id":272706808,"uuid":"917498202","full_name":"roastedbeans/certification-authority-next","owner":"roastedbeans","description":"Mydata simulation: Certification Authority Sector with Next.js","archived":false,"fork":false,"pushed_at":"2025-10-31T03:19:04.000Z","size":14983,"stargazers_count":0,"open_issues_count":0,"forks_count":0,"subscribers_count":1,"default_branch":"main","last_synced_at":"2025-10-31T05:31:42.954Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"TypeScript","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/roastedbeans.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2025-01-16T05:18:24.000Z","updated_at":"2025-10-31T03:19:08.000Z","dependencies_parsed_at":"2025-02-19T02:27:30.910Z","dependency_job_id":"5edc485b-92b6-4a2d-961b-9ada7915f832","html_url":"https://github.com/roastedbeans/certification-authority-next","commit_stats":null,"previous_names":["roastedbeans/certification-authority-next"],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/roastedbeans/certification-authority-next","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/roastedbeans%2Fcertification-authority-next","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/roastedbeans%2Fcertification-authority-next/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/roastedbeans%2Fcertification-authority-next/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/roastedbeans%2Fcertification-authority-next/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/roastedbeans","download_url":"https://codeload.github.com/roastedbeans/certification-authority-next/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/roastedbeans%2Fcertification-authority-next/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":32783952,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-05-08T08:22:46.396Z","status":"ssl_error","status_checked_at":"2026-05-08T08:22:45.650Z","response_time":54,"last_error":"SSL_connect returned=1 errno=0 peeraddr=140.82.121.6:443 state=error: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2026-05-08T14:26:47.969Z","updated_at":"2026-05-08T14:26:48.851Z","avatar_url":"https://github.com/roastedbeans.png","language":"TypeScript","funding_links":[],"categories":[],"sub_categories":[],"readme":"# MyData API Intrusion Detection System - Certification Authority\n\n## Overview\n\nThis repository implements the **Certification Authority** component of a comprehensive **MyData API Intrusion Detection System**. The system provides real-time security monitoring and threat detection for MyData ecosystem APIs through multiple detection algorithms and centralized authentication services.\n\n## System Architecture\n\nThe MyData ecosystem consists of three integrated components:\n\n- **šŸ” Certification Authority** (this system) - Central authentication and certificate management\n- **šŸ¦ Information Provider** - Bank API services for account information\n- **šŸ›ļø MyData Operator** - Bank API services for account information\n\nThe Certification Authority serves as the **security hub** that:\n\n- Issues OAuth 2.0 tokens for API authentication\n- Manages digital certificates for secure data exchange\n- Monitors all API traffic in real-time\n- Detects security threats using advanced algorithms\n- Provides comprehensive security analytics\n\n## šŸ›”ļø Intrusion Detection System Features\n\n### Multi-Algorithm Detection Engine\n\n1. **Signature-Based Detection**\n\n - Detects known attack patterns using regex matching\n - Covers SQL injection, XSS, XXE, command injection, directory traversal\n - Real-time pattern recognition with 50+ security signatures\n\n2. **Specification-Based Detection**\n\n - Validates API requests/responses against defined schemas\n - Uses Zod validation for strict type checking\n - Detects parameter tampering, unauthorized access, and data manipulation\n\n3. **Hybrid Detection**\n\n - Combines both detection methods for maximum coverage\n - Primary specification check, fallback to signature detection\n - Optimized for performance with intelligent layering\n\n4. **Rate Limiting Detection**\n - Dynamic client categorization (Premium, Standard, Restricted)\n - Sliding window algorithm for accurate rate monitoring\n - Endpoint-specific limits with DDoS protection\n\n### šŸ“Š Real-Time Security Dashboard\n\n- **Live Attack Monitoring** - Real-time threat visualization\n- **Detection Performance Metrics** - Accuracy, precision, recall analysis\n- **Confusion Matrix Analytics** - False positive/negative tracking\n- **API Logs Viewer** - Detailed request/response inspection\n- **Security Summary** - Attack statistics and trends\n\n## šŸš€ Quick Start\n\n### Prerequisites\n\n- Node.js 18+ and npm\n- PostgreSQL database\n- Docker (optional, for containerized deployment)\n\n### Installation\n\n1. **Clone and setup**\n\n ```bash\n cd certification-authority-next\n npm install\n ```\n\n2. **Database Configuration**\n\n ```bash\n # Setup environment variables\n cp .env.example .env\n\n # Run database migrations\n npx prisma migrate dev\n\n # Seed initial data\n npm run seedCA\n npm run seedOrg\n ```\n\n3. **Start the application**\n\n ```bash\n npm run dev\n ```\n\n Access the Security Dashboard at: `http://localhost:3000/security-dashboard`\n\n## šŸ”§ Detection System Usage\n\n### Running Detection Algorithms\n\n```bash\n# Signature-based detection\nnpm run signature\n\n# Specification-based detection\nnpm run specification\n\n# Hybrid detection (recommended)\nnpm run hybrid\n\n# Rate limiting detection\nnpm run ratelimit\n\n# Comprehensive analysis\nnpm run analysis\n```\n\n### Attack Simulation \u0026 Testing\n\n```bash\n# Simulate various attack scenarios\nnpx tsx scripts/simulations/simulate.ts\n\n# Generate attack traffic for testing\nnpx tsx scripts/simulations/simulate-invalid-flow.ts\n\n# Rate limit overflow simulation\nnpx tsx scripts/simulations/simulateRateOverflow.ts\n```\n\n## šŸ—ļø API Endpoints\n\n### Authentication Services\n\n- `POST /api/oauth/2.0/token` - OAuth token issuance\n- `POST /api/v2/mgmts/oauth/2.0/token` - Management token endpoint\n\n### Certificate Authority Services\n\n- `POST /api/ca/sign_request` - Certificate signing request (IA102)\n- `POST /api/ca/sign_result` - Certificate signing result (IA103)\n- `POST /api/ca/sign_verification` - Certificate verification (IA104)\n\n### Organization Management\n\n- `GET /api/v2/mgmts/orgs` - Organization listing and management\n\n## šŸ“ˆ Security Monitoring\n\n### Detection Performance Metrics\n\nThe system tracks comprehensive security metrics:\n\n- **Attack Detection Rate** - Percentage of attacks successfully identified\n- **False Positive Rate** - Legitimate requests incorrectly flagged\n- **Response Time** - Average detection processing time\n- **Threat Coverage** - Types of attacks detected\n\n### Supported Attack Types\n\n- SQL Injection variants\n- Cross-Site Scripting (XSS)\n- XML External Entity (XXE)\n- Command Injection\n- Directory Traversal\n- Session Hijacking\n- Rate Limiting Bypass\n- Parameter Tampering\n- Token Manipulation\n\n## šŸ” Configuration\n\n### Detection Algorithm Tuning\n\nModify detection parameters in:\n\n- `scripts/detection-algorithms/security-patterns.ts` - Signature patterns\n- `scripts/detection-algorithms/detectionSpecification.ts` - Schema validation rules\n- `scripts/detection-algorithms/slidingWindowRateLimit.ts` - Rate limiting configuration\n\n### Client Categories for Rate Limiting\n\n- **Premium Clients**: 30 requests/minute (prefix: `premium-`)\n- **Standard Clients**: 20 requests/minute (default)\n- **Restricted Clients**: 10 requests/minute (prefix: `restricted-`)\n\n## šŸ“ Project Structure\n\n```\ncertification-authority-next/\nā”œā”€ā”€ app/ # Next.js application\nā”‚ ā”œā”€ā”€ (routes)/security-dashboard/ # Security monitoring interface\nā”‚ ā”œā”€ā”€ _components/ # Security dashboard components\nā”‚ ā”œā”€ā”€ _actions/ # Server-side security actions\nā”‚ ā””ā”€ā”€ api/ # OAuth and CA API endpoints\nā”œā”€ā”€ scripts/ # Detection and simulation scripts\nā”‚ ā”œā”€ā”€ detection-algorithms/ # Core detection engines\nā”‚ ā”œā”€ā”€ simulations/ # Attack simulation tools\nā”‚ ā””ā”€ā”€ analysis/ # Security analytics\nā”œā”€ā”€ prisma/ # Database schema and migrations\nā””ā”€ā”€ utils/ # Security utilities\n```\n\n## šŸ³ Docker Deployment\n\n```bash\n# Build and run with Docker Compose\ndocker-compose up -d\n\n# Individual container build\ndocker build -t mydata-ca-security .\ndocker run -p 3000:3000 mydata-ca-security\n```\n\n## šŸ¤ Integration with MyData Ecosystem\n\nThis Certification Authority integrates with:\n\n- **Information Provider APIs** - Authenticates bank account information requests\n- **MyData Operator APIs** - Validates financial data exchange transactions\n- **External Security Systems** - Provides threat intelligence and incident response\n\n## šŸ“Š Security Analytics\n\nThe system generates detailed security reports including:\n\n- Attack trend analysis\n- Detection algorithm performance comparison\n- Client behavior analytics\n- API usage patterns and anomalies\n- Security incident timelines\n\n## šŸ› ļø Development\n\n### Adding New Detection Rules\n\n1. **Signature-based**: Add patterns to `security-patterns.ts`\n2. **Specification-based**: Update schemas in `detectionSpecification.ts`\n3. **Rate limiting**: Modify client categories in rate limit configuration\n\n### Testing Detection Algorithms\n\n```bash\n# Test individual algorithms\nnpm run signature\nnpm run specification\nnpm run hybrid\n\n# Performance benchmarking\nnpm run analysis\n```\n\n## šŸ“ License\n\nThis project is part of the MyData API security research initiative for developing specification-based intrusion detection systems for web APIs.\n\n---\n\n**Security Notice**: This system is designed for research and development of API security monitoring. Ensure proper configuration and testing before production deployment.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Froastedbeans%2Fcertification-authority-next","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Froastedbeans%2Fcertification-authority-next","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Froastedbeans%2Fcertification-authority-next/lists"}